Maksim Kabakou - Fotolia
That magical cyber amulet that is going to stop every cyber attack and make our organisations resilient and future proof has prove elusive so far.
And on a not unrelated subject, some of us may be wasting large chunks of our security budget in the search for magic bullets, while simultaneously providing employees with 20 minutes of e-learning once a year and wondering why we are still experiencing security failures.
When those failures inevitably happen, the finger of blame tends to point to the user. But the truth is that we fail users by implying that they are stupid while simultaneously providing them with poor-quality education (if at all) and through poor leadership and direction.
We have decent health and safety legislation and our workplaces are safer than ever – but people still have dreadful accidents at work. However, if this is shown to be due to poor or ineffectual training, we blame the negligent employer. That employer will face legal action, and quite rightly so.
But at the moment, it feels like if you make a cyber mistake because your training was not fit for purpose and you don’t understand the policy, then you must be a stupid user.
I am the first to acknowledge that training can be difficult and potentially expensive (a bit like dealing with a security breach). If you are a large, complex or multi-site organisation, making sure all staff get regular, well-crafted and pertinent training may be very challenging. But the truth is, as things stand, people are the first line of attack and defence.
Attackers know that we place a greater premium on technology and people are often poorly trained, and so security culture is lacking. As an attacker, would you try to storm the castle gate or find an untrained stable-hand to let you in? Chances are most employees will offer more opportunities to criminals to weasel a way in, than trying to break down heavy technical cyber defences on a front door.
Read more from Computer Weekly’s Security Think Tank about security controls
So it won’t surprise you to learn that I am still going to suggest training and education for all employees, management and board members. Either that or remove network access and email access from those who have not achieved an appropriate level of understanding. You can back this up with effective email monitoring and anti-malware to filter out known threats headed towards their inbox and save them some time and trouble.
Get an incident response plan and team in place, drill and test the plan and keep the team up to date with developments. Make sure you have a good communicator on the team to ensure organisational clarity at all times. A senior manager or director should also be involved to provide leadership, a champion who will help improve security culture.
To back this up, use network monitoring to make sure you are getting the most up-to-date information for the team to respond to and disseminate to the business. Learn from the mistakes of others and decide what your policy will be on sharing information about security incidents and how you will approach any resulting media responses.
Remember that sometimes there will be people using physical systems that also need protecting and including in response and management. Until the cyber amulet or silver cyber bullet appears to save us all, we must address the people issue. Although training and education can be challenging, the truth is that well-educated people are actually the best defence we have.