An increasing number of information security officers agree that awareness training for employees is the number-one defense against cybersecurity threats. In fact, the nation’s first Chief Information Security Officer (CISO), Greg Touhill, said that if he had extra money to spend on security, he would spend it training employees. This statement was underscored by Jon Clay at Trend Micro.
Clay reports that “Spear phishing and messaging-based threats tend to be the first attack vector that criminals are using today. They are targeting the employees of an organization first and foremost to get access to that organization’s network. From there, they will laterally move out.”
In effect, his comment highlights the importance of training employees to recognize these threats. Properly trained employees know what to look for. However, just one poorly trained employee can open the door for hackers—And once they get in, they can do irreparable harm.
We were all shocked by the recent security breaches at organizations like JP Morgan Chase and Equifax. If companies with high levels of security can be breached, then what about the thousands of smaller businesses across America?
Although most enterprises increased their budgets for IT security, it doesn’t seem to be having the impact CEO’s had hoped for. When you take a hard look at the job description of most CISO’s, you can readily see the problem. In today’s business environment, IT specialists are required to know everything there is to know about dozens of different devices—And each device must be properly configured and aligned with the overall data system’s architecture.
Cloud technology makes data more readily available to employees—However, it’s also more vulnerable to cyber attacks. This leaves us with the question of whether we can continue to risk our most important data by leaving it out in the open for intruders to find.
Even the world’s foremost experts in this field view the future of digital security with uncertainty. Attacks on prime targets around the globe have been so successful that it requires industries to constantly evolve where cybersecurity is concerned.
Many IT experts believe that one reason for the consistent failure of counter-threat intelligence is the fact that experts are always a few steps behind the attackers. Cyber threats become more sophisticated with each new breach. When critical data is compromised, customer data, financials and intellectual property are freely available to hackers.
Cybersecurity learning programs now include behavior-modification training. The concept of modifying behavior isn’t new—But applying it to the information technology environment is.
Employees must learn that certain behaviors are unacceptable. During training, they’re shown the numerous tricks that hackers employ—And training must be ongoing in order for it to be 100 percent effective. As cyber attacks evolve, so must our understanding of how to detect them.
Alan Paller, founder of the SANS Institute, along with other security specialists agree that, when it comes to cyber threats, we must address the human factor first. When every employee in a company is fully trained and aware of the many ways attackers infiltrate a company’s data, they’ll be one step ahead of the hackers instead of two steps behind.
CEOs are just as likely to click on a suspicious link in an email as are their employees. Therefore, everyone in an organization should undergo cybersecurity awareness training. From the CEO to the mail room, to every person who has access to a company’s data, all must be informed. It only takes one person to open that cyber door— And once thieves are inside your IT network, they’ll ransack it and take whatever they want.
The quality of their forgery has risen to the point where the threat is almost indistinguishable from the real thing—These emails look authentic. They are so refined that even well-trained individuals can be fooled. The more believable the attack, the more likely it is to succeed. In order to rise to that level of believability, cyber thieves need our help. And they seem to have no problem getting it.
As mentioned, the first and best defense against these attacks is education. The second-best defense is to protect your data. There are numerous ways criminals can obtain your confidential information.
Security experts recommend that all discarded paperwork be destroyed using a cross-cut shredder. If attackers can learn just a few key pieces of information about you, they can refine their attack and make it more likely to succeed. Cyber thieves want to know where you bank, your title at work, your favorite hangouts – even the names of close friends and relatives.
Social media makes it easy for anyone to find out who your friends are and even get photos of them. Criminals watch for photos that you post online, when you go on vacation, and more. Once they know you’re away from home and enjoying the beaches in Maui, it’s just a matter of going to your home and breaking a window.
This same philosophy applies to cyberspace as well. We all leave clues around that tell thieves where we shop, where we work, what kind of car we drive and other bits of vital information about our lives. Once they have it, they’ll use it against us in the form of malicious emails.
In a world where information is so readily available, the task for CISO’s is now more complex. It requires better and more consistent training for employees and vigilance at every level. With ongoing training, employees can help identify outside risks in their email boxes or across the Internet.
The job of combatting cybercriminals mandates that we take the protection of our data as seriously as we do the protection of our homes and families. It’s not just the responsibility of IT specialists and CISO’s—It’s everyone’s job to guard the “doors and windows” of our network and cloud storage systems.