Google doesn’t want you to have to think about cybersecurity at all, similar to how we think about breathing, which sounds like a great idea. However, in all of my years in cyber security, from the Israeli Defence Forces’ Intelligence Corps Unit to my years at the government’s National Cyber Bureau – where I worked with one of the most attacked organizations in the world, the Israel Electric Corporation – I’ve learned that trusting solely in technology is never a good option.
Your employees are your first line of defense when it comes to cybersecurity, and according to Verizon’s 2018 Data Breach Investigations Report, almost one in five (17%) breaches were caused by human error. Educating your employees, in both preventing and responding to a breach, should be your organizations focus.
A broader look at cyber training
This increase in training and education needs to happen at every level of an organization – from mailroom to boardroom – to address the increasing vulnerabilities within the financial, insurance, energy and critical infrastructure sectors – not reliance on a reactive approach from tech giants. As online threats become more sophisticated, complex and multifaceted, untrained employees become more of a security risk than ever.
Cybersecurity knowledge is not a responsibility of only the IT or OT departments, but of the organization as a whole. Training a workforce how to act before and during a cyber-attack is imperative to any organization’s cyber defense. Even if one employee or manager opens an innocent-looking malicious email attachment, the whole organization could be open to an attack, regardless of the efforts and money you put in your cybersecurity technologies.
An example: Ransomware
Ransomware, or any other socially engineered attack, requires making crucial, quickfire decisions, such as whether to pay the ransom, and when to release public statements and share information with the relevant agencies. There are many decisions and aspects to be aware of to prepare against such attacks as well. In the highly publicized WannaCry epidemic in 2017, the human factor played a major role in the vulnerability of organizations worldwide. Although the patch needed to prevent WannaCry from infecting computers was released before the initial attacks, many systems worldwide went unpatched, leading to the rapid spread of the virus.
Executives, particularly CISOs, are tasked with making the ultimate cybersecurity decisions, but in the throes of an attack, it can be multiple, simultaneous decisions across a global footprint. In order to ensure that everyone in an organization is on the same page, senior leadership needs to make sure an organization’s policies and procedures are clear from top to bottom. This is in addition to keep employees educated and abreast of current trends in cybersecurity. According to CompTIA’s 2018 Trends in Cybersecurity report, 36 percent of respondents cited low understanding of new security threats as a hurdle for changing their approach to IT security, while 28 percent cited low understanding of current security trends as a hurdle.
Knowing how people will react to a cybersecurity breach is as important as defending against cyber-attacks. Go beyond technology with programs that balance people with policies and technologies. Make sure every employee knows the basics. The best cybersecurity defense is the ability to make decisions. When it comes to risk management and being equipped to deal with a cyber-attack, quick decision-making and cybersecurity knowledge is more important than any technology.
Humans are on the frontline
Humans are the weakest link in both prevention and mitigation of cyber breaches, while the best defense is to test and train people on security policies, technology and tools. The current trend in cybersecurity is recreating an actual working environment and putting employees in the midst of a very real cyber-attack that they must defend against. Businesses across the globe are now signing up employees to endure the hands-on perils of cyber-attacks. In a real-life situation, theory meets practice – with real-world consequences.
Employees across the globe, from the very junior to the CEO and directors, are the first line of defense. Increasingly, they are either expected to know the basics when it comes to prevention and mitigation of a cyber-attack and be trained in the methods. In the past, cybersecurity hasn’t been the average employee’s daily concern. Security tasks were delegated to the IT teams. But just one mistake from any employee across an entire organization can be very costly.
That’s why companies today are stress-testing and training every level of the organization, to gain a deeper understanding of the cyber threat landscape, the types of attacks they might face, and the impact these attacks can have. A holistic, organization-wide approach, that bridges and train the people with the policies and technologies, in a safe environment, is the most impactful, long-term and authentic way to prepare your business for the next wave of inevitable cyber-attacks.
If I could leave you with three tips to improve your cyber strategy moving forward, they would be:
- People should be your number one priority – they are the guardians of your business assets. Invest in their knowledge and performance. It will pay off immensely.
- Policies are dynamic – always check, test and recheck them. Rewrite anything that needs updating, and then start over.
- Know your enemy – never cease to educate and learn about each discovered attack and offensive strategy. I cannot say it more clearly. Knowledge is really a lifesaving factor in our business.