Cybersecurity Training Isn’t The Complete Solution

Uploaded on 2017-11-16 in NEWS-Cybersecurity News, JOBS-Training, FREE TO VIEW, TECHNOLOGY--Resilience

Cyber security training firms continue to stress the importance of educating employees in order to minimise the risk of cyber threats.

‘Staff’, they argue, ‘are both your company’s greatest asset and your biggest potential security risk’. And as employees are the weakest link in the security chain, they must be well trained and educated.  
 
It is true that employees are a huge security weakness: 46% of IT security incidents are caused by employees each year globally and 55% of companies surveyed by Experian Data Breach Resolution said they ‘experienced one or more security incidents where the catalysing event was a negligent or malicious employee’. 

Educating employees, however, is not necessarily the complete answer. As cyber security threats continue to evolve and grow at an increasing pace, employees and training are no longer able to keep up.  

Even Bruce Schneier, the very cyber security expert that popularised the Golden Triangle concept of ‘people, process and technology’, now plays down the importance of education in cyber security in comparison with technology and automation. He now states that ‘People and process work on human timescales, not computer timescales’.
   
To keep up with the pace of cyber threats we should ditch the emphasis on people and process, which are far too slow, and focus on the power of technology.

The only way to manage a technological threat that is growing faster than humans can react to it, is to look to technology itself for solutions.  

Thus for the below reasons, employee education is no longer the way CIOs and other executives should go to in order to keep their companies safe:

1. Cyber threats are evolving too rapidly for mass education of employees to be successful    

With each passing year the technology of cyber-attacks evolves and the speed of this evolution seems to continue accelerating. In the last 12 years alone there have been a 10,000 fold, increase, in the number of new digital threats.  

The hacking profession has moved from annoying viruses and spam created by hackers to show off their computing muscle and gain two minutes of cyber fame, to sophisticated organised hacking networks which gain serious money from cyber-crime.

As Symantec’s 2017 security report summarised, ‘New sophistication and innovation’ have meant ‘seismic shifts in the focus of attacks’. The sophistication of hacking has now evolved to the degree that even the strongest nation states and corporations are fair prey for hackers.  

This timeline demonstrates exactly how these attacks have matured over time and now pose serious financial and reputational consequences to businesses. What started off as basic viruses and worms are now highly sophisticated key and certificate-based attacks which can prise open even the most advanced security systems. 

More worryingly, as businesses, governments and individuals continue to connect more and more things to the Internet, the opportunities for attackers grow ever greater. Eventually, as the internet of things (IoT) hooks up more or less everything to the Internet, so too will more or less everything be fair game for hackers. 

What’s more, cyber security experts only expect the frequency of these attacks to continue to grow. In 2016, Symantec identified some 100 new malware families in 2016 - more than triple the year before.  

Cyber criminals are also suspected to already be manipulating developing technologies such as data on trading platforms where new financial instruments - such as cryptocurrencies - are traded.
 
Including digital infrastructure and cryptocurrencies along with the IoT, there are now three new, rapidly growing sectors that could be vulnerable to hacking.

And while hackers are already working on compromising these areas, most employees are unlikely to even understand the basic concepts of these developing technologies, let alone know how to use them responsibly, demonstrating the true severity of the task of educating employees on cyber security.

2. The cyber security problem is too broad for employees to be provided a complete education  

We have now connected all but every aspect of our lives to the internet meaning the security threat is broader than ever. Business structures and operations have also become more complex, leaving more areas vulnerable to cyber threats. Educating employees on all these areas is very much unfeasible.    

When cyber security training meant teaching employees to change their password regularly and not to open suspicious attachments, the case of educating on cyber security was far simpler.  

Now, however, cyber security training means having to educate employees on how to create passwords; manage file storage and exchange; know which websites and emails are safe; how to download files; which products you should use; how to avoid social engineering and phishing attacks, etc., just to name a few.

As Deloitte summarises in a 2016 risk report, the cyber security concern is not just frequency, but ‘The fact that today’s cyber security efforts require guarding against a broader range of challenges.’ These challenges include ‘new and emerging technologies, trends in mobile usage, social media, well-funded and organised foes, round-the-clock attacks, and more’.

   
And as employees do after all have their own jobs to do, they cannot be expected to somehow keep track of all these threats. The challenge with educating employees is to somehow make them aware of the risk their online activities pose and how to manage it, without rendering them unproductive by overly complex procedures. 

But this balance is looking increasingly difficult to achieve as the breadth of security threats continues to expand.  

More likely, employees will continue to be compromised and continue to cover up these compromises rather than resolve them as has been shown to be the case in the majority of businesses.

3. Modern technologies such as machine learning and big data security are now more efficient and effective solutions for a CIO than educating employees 

So, if hackers will always be one step ahead of employees, what solutions can we use to prevent cyber security breaches?  

One answer is machine learning solutions which are capable of monitoring user and application behaviour. These solutions, such as Cylance Cybersecurity, are very effective in recognising malware. Utilising these alternatives means you are able to predict and prevent threats rather than working reactively on the back-foot, as is the case with anti-virus software.
 
Blockchain is another example of a cutting edge technology that can significantly minimise cyber security risks. It does so by addressing the two key security principles: process and trust.  Blockchain solves the issue of process by implementing smart contracts that can enforce procedures within the company. For example, say, ‘user A can only access X document with approval from user B and C’.
 
In respect to trust, it allows companies to ensure that procedures are being executed in compliance with regulation. In the above example, there is no human verification that could result in security lapses. Instead, the blockchain system approves or denies access based on set criteria, reducing the risk of human error which so often results in security breaches.

So when choosing a security vendor, opt for one that uses the latest technologies that can help reduce the risk of human error.

It is simply no longer possible for your employees to be educated on the latest cyber security threats as they constantly grow and evolve.

Instead, the most effective way to fight the latest technological threats is deploying the latest technological defence systems in your own favour.

ITProPortal

You Might Also Read: 

Blockchain’s Brilliant Approach To Cyber Security:

Will GDPR Protect Privacy Or Just Lead To More Hacks?:

Strategies For A Cyber Security Culture (£):

 

« Tech Giants Face US Congress Over Russia Election
Garry Kasparov On AI & Cybersecurity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

Bromium

Bromium

Bromium deliver a new technology called micro-virtualization to address the enterprise security problem and provide protection for end users against advanced malware.

Zentera Systems

Zentera Systems

Zentera's CoIP (Cloud over IP) solution offers enterprise-grade networking and security for the emerging cloud ecosystem.

CSIS Security Group

CSIS Security Group

CSIS provide actionable threat intelligence, prevention, incident response and 24/7 managed security services.

Early Warning Services

Early Warning Services

Early Warning is committed to providing awareness, education, and enablement around fraud prevention.

SecuTech Solutions

SecuTech Solutions

SecuTech is a global leader in providing strong authentication and software licensing management solutions.

LinOTP

LinOTP

LinOTP is an enterprise level, innovative, flexible and versatile OTP-platform for strong authentication.

SecureMe2

SecureMe2

SecureMe2 ‘s mission is to make organizations more responsive to digital threats by deploying smart technology in a highly accessible way.

BrandProtections.Online

BrandProtections.Online

BrandProtections.online offer end-to-end customer support solutions to help protect against threats which may affect your brand online.

Securious

Securious

If you need to improve your cyber security or achieve cyber security accreditations, Securious provide an independent service that will identify and address your issues quickly and efficiently.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

Nokod Security

Nokod Security

Nokod Security delivers an application security platform for low-code / no-code custom applications and Robotic Process Automation (RPA).

Paramount Defenses

Paramount Defenses

Paramount Defenses have unrivaled capability in two of the most critical areas in cyber security today – Active Directory Security and Privileged Access.

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision-Cyber was founded on the philosophy of state-of-the-art cybersecurity and digital solutions. Our guiding principle is simply that we will provide and secure all your digital needs.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.