On each Friday for the month of February, RSM’s Julia Polyak will be providing an article on the future of cyber-attacks and cyber-warfare, and how organizations can remain aware of emerging threats in this landscape.
In the continuous struggle to keep our digital world safe and secure, it’s important to understand that behind every cyber event, there are roles that human’s plan: the human element. Understanding how people interact with technology is key to defending against cyberattacks in the future. In the digital world, there are new vulnerabilities and threats emerging on a daily basis. Proactive defense is essential in creating a good security posture as well as enhancing security awareness programs. This is where threat intelligence teams and programs can help fortify security and create a well-developed cybersecurity training. When talking about the human element of cybersecurity, it’s not necessarily who’s fault if something were to happen, but what security measures were missed or weren’t in place so that it came down to that last line of defense, the human.
When trying to understand why the human element is so important in security, we need to understand the reason why human’s fault in cyber-attacks remains one of the biggest cybersecurity vulnerabilities today. There are many reasons why humans aren’t the best cyber defense, but the main reasons you should be aware of are:
- Lack of awareness training
- Social engineering attacks
- Insider threats
- Complexity of technology
- Human nature
You might be thinking, we already knew these things, but the problem is not whether people are aware of human error and lack of security awareness training, it is whether people are acting on these items and then making a difference. Time and time again, companies are being targeted by phishing campaigns, social engineering attacks over the phone, and complex cybersecurity attacks. At the end of the day, when it comes down to that last line of defense, the human element, are you and your staff prepared enough? Do you know what to do, how to respond, and what it means should you fall victim to a cyber-attack?
To be able to provide accurate security awareness training, we first need to understand the importance of threat intelligence. Threat intelligence is the collection, analysis, and distribution of information about potential and current cyber threats. By keeping up with threat intelligence, whether it’s having a threat intelligence team or using many of the known threat intelligence programs, organizations can stay ahead of the emerging threats, identify known vulnerabilities in their infrastructure, and boost their securities and defenses accordingly. By integrating threat intelligence into your security awareness training, you can add more context into the training, providing real world examples to make the material more relevant and engaging for employees. Rather than providing complex and theoretical scenarios to employees, threat intelligence can make the employees more aware of the real threats out there, demonstrating the consequences of failed security.
Security awareness training and education programs: Improving security awareness training can be addressed in multiple different ways. The main things to implement if not already are providing real-world examples, consistent and ongoing training, promoting a cyber-aware environment, measuring training effectiveness, and providing resources and support. To provide realistic, real-world examples for security awareness training, a few ideas you could add into your training is a phishing campaign, where either your internal IT team or an external team can provide a realistic phishing example to a portion of the employee population to test and measure the employee’s security awareness in a realistic example. Another idea to implement more realistic scenarios is to find an external team to perform a social engineering engagement, where you outline your companies’ statistics and information, and an external team, such as RSM’s social engineering team, would perform a social engineering “attack,” whether you want on the phone, over email, or even in person. This encourages all the things mentioned above to improve your security awareness program and your overall security posture. A real-world social engineering engagement would provide a holistic view of the areas where the human element is lacking in your security. Not everyone is able to perform this type of engagement, and that’s okay, because as mentioned, there are many things you could be doing to foster a cyber-aware environment. This would look like the consistent spreading of information to all employees, regular training and being able to measure the training effectiveness. Whether it’s having an internal team providing new information on emerging threats through threat intelligence or having the IT team sending out daily/weekly reminders for cybersecurity best practices. Through promoting a positive, engaging, and informational cybersecurity environment, your security posture will improve.
Every day, the digital world is changing. New threats are emerging, organizations are being hacked, and lives are being changed. Trying to foster an environment with positive security awareness training is difficult because it is often not a positive reality. However, if we can work together to promote a culture of learning, growing, and sharing the passion for advancing security, we can make a difference in securing our cybersecurity posture.
