Ways to raise your users’ cybersecurity IQ

Source: Vsoftsystems, 08/09/2018

Whether their actions are inadvertent or intentional, your employees
represent a large security vulnerability. Here are recommendations
from security experts on how to safeguard your business by keeping
your workforce aware of the risks.

Employees are a company’s greatest asset, but also its greatest
security risk. “If we look at security breaches over the last five to
seven years, it’s pretty clear that people, whether it’s through
accidental or intentional introduction of malware, represent the
single most important point of failure in terms of security
vulnerabilities,” said Eddie Schwartz, chair of ISACA’s Cyber Security
Advisory Council.

In the past, companies could train employees once a year on best
practices for security, said Wesley Simpson, COO of (ISC)2. “Most
organizations roll out an annual training and think it’s one and
done,” Simpson said. “That’s not enough.”

Instead, he said organizations must do people patching: Similar to
updating hardware or operating systems, you need to consistently
update employees on the latest security vulnerabilities and teach them
how to recognize and avoid them.

“Your people are your assets, and you need to invest in them
continually,” Simpson said. “If you don’t get your people patched
continually, you’re always going to have vulnerabilities.” Even in a
company with hundreds of employees, it’s worth training them as
opposed to taking on the risk of a breach.

However, it’s important to empathize with your employees as well, said
Forrester analyst Jeff Pollard. “People represent a large potential
attack surface for every organization. The reason I don’t like to
think of people as a security vulnerability is that it encourages a
blame-the-victim mentality. Security teams exist to protect
information, people, and the business.”

When a user makes a mistake and clicks on an email that causes an
infection, we often think that was the cause, Pollard said. But that’s
not actually the case�`the organization was already under attack when
the attacker sent the email, before it was opened. It also means every
other security control in the path of that attack failed, he added.