People are the largest security vulnerability in any organization. Some expert advice on how to make cybersecurity training more effective and protect your business.
Employees are a company's greatest asset, but also its greatest security risk.
"If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities," said Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council.
In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. "Most organizations roll out an annual training and think it's one and done," Simpson said. "That's not enough."
Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.
SEE: Security awareness and training policy (Tech Pro Research)
"Your people are your assets, and you need to invest in them continually," Simpson said. "If you don't get your people patched continually, you're always going to have vulnerabilities." Even in a company with hundreds of employees, it's worth training them as opposed to taking on the risk of a breach, he added.
However, it's important to empathize with your employees as well, said Forrester analyst Jeff Pollard. "People represent a large potential attack surface for every organization," Pollard said. "The reason I don't like to think of people as a security vulnerability is that it encourages a blame the victim mentality. Security teams exist to protect information, people, and the business."
When a user makes a mistake and clicks on an email that causes an infection, we often think that was the cause, Pollard said. But that's not actually the case—the organization was already under attack when the attacker sent the email, before it was opened. It also means every other security control in the path of that attack failed, he added.
View all SMART GRID Bulletins click here