The best insurance for cybersecurity is getting everyone involved.
Technology alone won’t fix the security woes that have been rampaging through the connected business world. What is needed is the full engagement of the workforce.
Carl Cadregari, executive vice president of The Bonadio Group’s Enterprise Risk Management team, is an advocate for preparing the workforce — the entire workforce — for the cybersecurity challenges ahead. The cybersecurity industry is constantly scrambling to keep up with the latest tools and tricks. The threats may change, but one thing remains consistent: untrained users who don’t understand their roles and responsibilities in preventing an attack. More employee training is needed, and urgently.
A survey last year from Wombat Security Technologies finds, for example, that only 37% of users were able to accurately identify the definition of ransomware. There’s a “clear need for organizations to take a people-centric view of cybersecurity and educate their employees about fundamental cyber habits in order to better protect data, devices, and systems,” the survey’s authors state. “This need is particularly pressing for organizations that support a BYOD culture or remote workers. There is no longer a definitive line between corporate systems and consumer systems.”
Employees and managers outside the security team and IT department need to be more deeply engaged in the security process — collaboration is needed to break through the silos. Cadregari recently shared his views on the need for enterprise-wide awareness-building and education of cybersecurity “Cybersecurity protection is not just the IT department’s or the information security officer’s responsibility,” he says. “Everyone, from board of directors to staff, have a critical role to play. The board of directors must be an active participant in cybersecurity governance and risk tolerance and have at least one member who truly understands the cybersecurity aspects of the organization. Management has to have an active part in the training, testing, and reporting and fully support the goals set by the board. Staff and others must not perform actions that will expose the organization to risks and everyone must be acutely aware of their responsibilities when a data breach or loss occurs.”
Are companies doing enough — or investing enough — to protect or manage these endpoints, and are these actions or investments even being directed to the right places? “Doing enough is a moving target as the cyber industry changes,” Cadregari says. He recommends going beyond vulnerability scans and engaging in “strong user training program, at least annually and in response to events, with sets of endpoint detection and response tools and applications tuned and tested with internal penetration testing.” He also urges “documented and tested computer security incident response plans.” User training and planning “allow an organization to educate, protect and respond to an event, instead of just reacting.”
Unfortunately, “there is no magic wand to make all your cybersecurity woes disappear,” he says. “Every organization has its own unique challenges.” However, there are ways organizations can take action to help understand and reduce the impact of cybersecurity risks, Cadregari advises:
- “Control complacency is not your friend; just because the control was working yesterday doesn’t mean it is today,* he says.
- “Buy or grow your internal cybersecurity knowledgebase *
- “Establish a cybersecurity budget separate from the IT budget *
- “Perform cybersecurity training, at hire, at least annually, and train again and again *
- “Perform vulnerability assessments and penetration testing externally and internally * T
- “Test your users at a level that doesn’t instill testing fatigue *
- “When contracting with a cloud company, fully vet all their controls at a level commensurate with laws and regulations and standards the organization has to meet, the types and amount of data they will have any control of or access to, and know where your data will live *
Finally, don’t turn over cybersecurity responsibility to the cloud. “Cloud companies, from the aspect of a managed security partner can help, but they are not a panacea,” says Cadregari. “They can be your prevention, analysis and reporting arm, and can be critical to the process of maintaining an effective cybersecurity posture. However, it is unrealistic to believe they can catch every single action or attack — internal as well as external — that can affect an organization and an organization shouldn’t fall into a false sense of security just because they have outsourced the management in this area.”
