The three-pillar approach to cyber security starts with people
Where do the cyber security risks reside in a typical organization?
You may find inspiration in a three-pillared strategic approach to cyber security.
The first pillar is people
The three-pillar approach to cyber security consist of people, process, and data and information. Here, we will focus on the first pillar: people
People are arguably the biggest risk. By people we mean staff, as well as other individuals an organization may come into contact with – i.e. contractors.
Who is the target?
According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. For phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite. Therefore, in conjunction with the implementation of IT security measures, training your employees is crucial to preventing these types of cyber security attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data.
Least expensive, most effective tool
Employee training is one of the least expensive and most effective tools an organization can use to reduce the risk of a cyberattack. This training can be both formal and informal. Formal training would include training on your organization’s policies and procedures as well as specific incident response training. For informal training, organizations should consider periodic e-mail blasts to employees detailing current threats and simulated phishing attacks with follow-up feedback. For example, e-mail blasts could include reminders that:
- Employees should never provide log-in credentials when requested via email even if the email appears to be legitimate.
- Organizations should consider providing payroll staff an annual refresher on the increased likelihood of a W2 phishing scam in December, January and February. During this time period, payroll staff are most likely to receive an email, purportedly from the CEO or CFO, requesting all employee W2 information.
Overall, these types of reminders are a great way to ensure that cybersecurity stays on the forefront of your employees’ minds in between more formal training sessions.
Tabletop exercises
Practical training methods should not stop with an organization’s general workforce. In addition to the employee training described above, companies should consider engaging in tabletop exercises that prepare an organization to react in the unfortunate event it experiences a breach. Specifically, these exercises simulate a data breach incident and allow an organization’s executives to test the organization’s ability to respond in the event of an attack using its formal policies and procedures. Overall, through frequent exposure and regular training, your organization will develop a culture of cyber security awareness.
The final two pillars to cyber security are processes (how we should act and operate) and data and information. These will be covered in future articles.