End Users are said to be the weakest link to security, however, with the right security awareness training your employees can turn into your best defense. Most incidents transpire due to the exploitation of the human factor. Threat actors use this human factor to manipulate end-users into executing a task on their behalf by advertising a bold statement. These tasks can include opening an email attachment, clicking a link, giving information over the phone, or even opening the door for someone. One of the worst types of malware is human malware, as cited by Alex White and it is the easiest malware attackers can use to their advantage.
Una Dean, stated “The vast majority of successful attacks occur through some sort of human error, and oftentimes that’s people clicking on phishing links that come through the system,” she said. “And it’s something where you can send out 10,000 phishing emails and just one person needs to click.” That makes this kind of tried-and-true attack “highly successful and very, very hard to defend against.”
Although a tremendous challenge, this human factor can be manipulated to your own advantage on the defense side of things, turning employees into assets. A panel of experts came together at RANE to discuss how this can be done.
The disparity of knowledge and awareness between users is great. End users see and work on their own systems and they may be able to see real-time actions being done by threat actors. This manipulation assists in creating valuable assets and increases cyber resiliency.
Security awareness training and educating employees is a critical factor in mitigating risk. Focusing on education and training teaches the end user the reasoning behind security measures like two-factor authentication or complex passwords. It also allows users to gain a better understanding of what to look out for, who to report the event to, or what they can do. As well as, appropriate actions to take when receiving a suspicious email or phone call. Organizations can send mock phishing emails to users; this allows users to learn from their mistakes, creates cautious employees, and minimizes the risk of a data breach.
Ondrej Krehel, CEO of LIFARS, stated on this saying: “It’s important to build cyber resiliency and start internally with employment training and understanding what the trend landscape actually is and what is the contribution of each member of that organization to the cyber resiliency itself.”
Training users begins by training yourself. 22% of shared folders are available for every employee in an organization to access. To begin training employees, organizations need to look at where their data lies, implement access control and evaluate what data they have. This cyber hygiene builds a habitual routine of security, maturity, and resiliency within an organization, thus, coming across to employees.
Although changing human behavior and thinking is difficult, training users can increase awareness. Explaining and getting across to your employees that the security applies to everyone, not just the security team is important. Of course, this awareness cannot be achieved overnight, but rather focusing on a one, two, three- and five-year plan helps create and modify human behavior. A change in culture begins from the top down and with a strategy in place that translates the culture across.
Further, to change human behavior, security needs to come across as something everyone can assist with and something interesting. Training cannot just consist of a webinar or training firm that comes in and inorganically talks to the employees. Instead, training should be engaging, but also very persistent, starting first when a new employee is onboarded and continuing throughout the employee’s stay.
In addition to training, the internal structure of organizations needs to revolve around building that culture of security. Building tiers of oversight allows a manifestation and trickle of cybersecurity issues within organizations. Once the need for cybersecurity is clearly translated across the top tiers, including the board and executives, this communication can effectively change the culture of the organization. Ondrej Krehel, stated on this saying: “If that comes clearly translated from a cybersecurity professional to the board and executive going back to the culture and how it affects them, then it can a better understanding how they propagate that strategy and culture through the organization.”
This strategy should include cyber preparation and readiness exercises. Just like the military spends more time preparing for its mission, organizations should more time preparing for data breaches. Time spent rehearsing, practicing, and repeating scenarios helps build an elite team. The mission should be translated across the team, from top to bottom including preparing policies, procedures, business continuity, and incident response plans. In return, building better cyber hygiene, better standards, and better processes for your organization. Basic cyber hygiene includes complex passwords, frequent password changes, user access policies, or risk assessments.
Internal employees are the weakest link, it can take just one employee clicking on a link to cause a data breach. This lack of awareness and education among employees needs to change. Organizations can begin this change starting with modifying the culture of the organization. Security should be implemented and understood from top to bottom, including executives, board members, and employees.
Are You Concerned About A Data Breach?
There are preventive measures your organization can take to defend against an cyber attack.
LIFARS offering Free 30-minute consultation on cyber resiliency.
Email:firstname.lastname@example.org | Call us at:(212) 222-7061