Staff Training Is Important But Does Not Reduce Cyber Risk

How many times have you had to watch your company’s latest cybersecurity training video? An entire industry now exists to train us humans to be smarter in how we operate computers, and yet the number of cybersecurity incidents continues to rise. Are the hackers always one step ahead? Are we impossible to train? Or are we being taught the wrong lessons?

The human is indeed the weakest link in cybersecurity. But all too often organisations’ approach to mitigating that risk, other than taking the wise step of ensuring that they have the state-of-the art technological protection in place, is more training. It won’t suffice.

Putting employees through 50 more hours of cyber-hygiene training a year will never be able to train every e-mail recipient to discern what looks like a phish.

There is one area where more training would pay off: for CEOs and other senior managers, the people who are least likely to take training or take it seriously. Forty percent of respondents to a BAE Systems survey of senior managers in various sectors said they lack understanding of their own company’s cyber-security protocols. But if you’re the boss, you’re an attractive target for crooks and spies.

Most importantly, the training can help leaders be much more effective in overseeing chief information officers (CIOs), and chief information-security officers (CISOs). With training, leaders can make more informed tradeoffs between purchasing the most convenient, accessible, and affordable technology (the CIO role) and keeping that technology and a company’s critical data secure (the CISO role).

When it comes to everyone else in the organisation, however, the answer is not more training; it is to not trust humans in the first place.

There are simply too many chances for us to accidentally hurt ourselves or the networks on which we operate regardless of how much training we receive. What we need to do is to help users and customers keep themselves and their households and organisations out of trouble.

The following proposals are all about companies’ being proactive with strengthening the security of their own networks and computers. They will make a company and its users more secure, regardless of whether or not they receive more training.
Know and prioritise your information. It may be the most common cybersecurity advice out there (even White House cyber coordinator and former NSA chief hacker Rob Joyce says so!), but you are nowhere if you don’t know your network and then prioritize what you need to defend. 

You can’t defend what you don’t know, and there’s no way to defend every file, database, and folder equally. So leaders should invest the time in knowing their organisation’s network. It’s the first necessary (albeit insufficient) step to help your humans do their jobs safely while keeping the bad actors out.

Don’t let friends click links. In 2015, the US Department of Defense (DoD) decided enough was it enough: to prevent its users from clicking on potentially malicious links, it converted all incoming mail from non .mil domains to plain text. 
Now, there are no links to click. Inconvenient? Perhaps. But this is a case where an enterprise decided the risks of convenience outweighed the rewards, and DoD leadership took action to keep its employees from causing inadvertent harm to the military’s network.

Don’t just share information; block it. Take advantage of services like Facebook’s Threat Exchange that can feed threat information to perimeter defenses that can block attempts at malicious connections. 

This approach will never keep an enterprise perfectly safe, but it will reduce the risk of infection from those sources known to the community. And the unfortunate truth is that many, if not most, threats feature indicators that are known to various information security communities ahead of time.

Reduce your attack surface. Most of us at work use computers that have far too much capability than we need or use on a daily basis. With that capability comes increased risk due to all sorts of additional avenues of infection. 
If you can swing it, think about using something minimal like the entirely browser-based Chromebook, which can dramatically reduce the opportunities presented to an adversary or criminal to gain unauthorized access to your system. Its updates are far more regular and there is far less excess software to infect.

Reach for the cloud. Sophisticated businesses and enterprises are able to manage the security of their domain with a mix of security products. But many small and medium-size businesses don’t have the resources to do so. Meanwhile, companies like Google spend millions on trying to keep hackers out of their e-mail infrastructure. 

If you are concerned you don’t have the resources to manage your own e-mail security, consider switching your back-end e-mail infrastructure to Google’s to take advantage of their investments in security.  It spends a lot of time hunting hackers so you don’t have to.

Finally, training is necessary but don’t forget the insider threat. Cybersecurity professionals spend a lot of time keeping the bad guys out. But sometimes, good guys become bad guys. 

In fact, IBM estimates that 60% of all attacks are from the inside. A human-centric approach to limiting damage from insiders might include creating a culture of mutual accountability at work. 

Additional checks on insider threats include segmenting a network so that only those who need access to certain data get access to that data and “water-marking” sensitive data with information as to when and by whom it was accessed.

Harvard Business Review

You Might Also Read:

Cybersecurity Training Isn’t The Complete Solution:

Strategies For A Cyber Security Culture (£):

 

« Cybersecurity Firms Deploy AI Against Hackers
Facebook Delivers AI To Detect Suicidal Posts »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Radware

Radware

Radware is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers.

CERTuy

CERTuy

CERTuy is the national Computer Emergency Response Team for Uruguay.

Silicom Denmark

Silicom Denmark

Silicom Denmark is a premier developer and supplier of FPGA-based interface cards for cyber-security, telecommss, financial trading and other sectors.

Magal Security Systems (Magal S3)

Magal Security Systems (Magal S3)

Magal Security Systems is a leading international provider of integrated solutions and products for physical and cyber security, safety and site management.

Cyberra Legal Services (CLS)

Cyberra Legal Services (CLS)

Cyberra Legal Services provides cyber law advisory, cyber crime consultancy, cyber law compliance audit, cyber security, cyber forensics and cyber training services.

BeDefended

BeDefended

BeDefended is an Italian company operating in IT Security and specialized in Cloud and Application Security with years of experience in penetration testing, consulting, training, and research.

CETIC

CETIC

CETIC is an applied research centre in the field of ICT. Key technologies include Big Data, Cloud Computing, the Internet of Things, software quality, and trust and security of IT systems.

DigiByte (DGB)

DigiByte (DGB)

DigiByte (DGB) is a rapidly growing global blockchain with a focus on cybersecurity for digital payments & decentralized applications.

CONCORDIA

CONCORDIA

Concordia is a Cybersecurity Competence Network with leading research, technology, and competences to build the European Secure, Resilient and Trusted Ecosystem.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

Ironhack

Ironhack

Ironhack provide intensive training courses & bootcamps in Web Development, UX/UI Design, Data Analytics & Cybersecurity.

Simplilearn

Simplilearn

Simplilearn is the world's #1 online bootcamp for digital skills training in disciplines such as Cyber Security, Cloud Computing, Project Management, Digital Marketing, and Data Science.

Pelta Cyber Security

Pelta Cyber Security

Pelta Cyber Security is the cyber security consulting and solutions division of Softworld Inc. We provide staffing and recruitment services as well as consulting and solutions for outsourced projects.

LocateRisk

LocateRisk

LocateRisk provides more efficiency, transparency and comparability in IT security with automated, KPI-based IT risk analyses.

PCS Security (PCSS)

PCS Security (PCSS)

PCS Security provides secure, reliable and state-of-the-art security solutions to help our customers address their security concerns.

ID North

ID North

ID North is a Nordic service provider offering identity security to its customers by providing world class expertise and best-in-class solutions and services.

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions is an Enterprise Cyber Security Platforms company offering Cyber Security & Technical Education and Compliance & Penetration Testing Services.

3DOT Solutions

3DOT Solutions

3DOT Solutions is an established UK cybersecurity consultancy focused on delivering end-to-end cyber security solutions for private and public sector customers.