For a generation of people that panic if they leave home without their phone or in the event of a social media outage, we are still very unequipped to handle the internet’s possibilities securely.
A study conducted by the Taylor & Francis Group found that “Many netizens still lack sufficient awareness of various internet threats and often fail to possess the minimum required knowledge to protect their computing devices.” As the technology-driven era continues to evolve, the attack surface is widening, and cyber criminals are finding more ways to infiltrate connected devices. The very people who share a #firstdayatwork selfie could unknowingly be leaking business-critical data.
The Twitter meltdown in 2020 was a prime example of this issue. A few gullible employees responded to an email requesting to reset their password. They went to a dummy site controlled by hackers and entered their credentials – usernames, passwords, and multifactor authentication codes – which was all it took to drop Twitter’s stock prices by 4 percent. The question to ask here is, “What can the modern CISO of a digital-first business with digitally-native employees do to avoid a similar issue?”
Cyber risk management requires employees and enterprises to meet halfway
As the “work-from-anywhere” concept has been more widely adopted across industries, employees are likely still unaware how their personal credential exposures, device misconfigurations, and the extent to which social engineering can affect them. They need to stop believing that cybersecurity is the onus of their organization alone and take control of protecting their data. Employees require a thorough understanding of what good cybersecurity practices entail, but they lack a single source from which they can learn and re-learn the basics.
Unverified videos, word-of-mouth advice, and PowerPoint presentations are the biggest source of (mis)information for most individuals. This dispersed information sharing needs to be consolidated to one forum to clearly educate around the nuances of cyber hygiene.
Cyber risk management requires adopting tools that provide breach-likelihood scores
Similarly, enterprises need a single dashboard view with prioritized actionable insights to counter the current siloed security approach. Signals from various sources including leaked credentials on the dark web, device configurations, services such as user entity behavior analytics (UEBA), and more should be aggregated and monitored.
Once all the signals are combined, enterprises can view them as an easy-to-understand breach-likelihood score per employee, representing their individual financial impact to the organization in case there is a data breach. Employees sit at the center of enterprise cybersecurity strategy and breach-likelihood scores give security and risk management leaders the confidence to focus on the riskiest employees.
To make cybersecurity a shared responsibility, security and risk management leaders have, for decades, depended on products and services that shed light on their employees’ vulnerabilities. Today, 90% of data breaches have a human aspect, yet less than 10% of the budget is allocated by businesses to manage it. Every wave of cyberattack creates a knee-jerk reaction where businesses purchase more services to bolster their employee-related cyber risk posture.
However, point-in-time phishing simulations, social engineering exercises, and obligatory classroom-based sessions will no longer be as effective as they were even a couple of years ago.
In today’s digital world, employees are central to developing a robust cybersecurity strategy. The quicker everyone – enterprises and employees – realizes their role in enabling good cyber hygiene, the more prepared they will be for a potential threat. This requires a harmonious partnership between organizations and their employees to educate all parties on security best practices.
Additionally, CISOs can protect their companies by implementing tools that monitor, provide employee breach-likelihood scores, and estimate the financial impact of risky employees. At the end of the day, ensuring the digital health of an organization is not only critical during Cybersecurity Awareness Month, but all year-round.