It seems that every time you hear the news about another data breach there is one common factor: human involvement. As cybersecurity professionals, we would assume that as time has gone on, people would succumb to their training and understanding of the risks involved in their everyday routine.
Before my time in cybersecurity, I spent ten years in IT operations management. There was a constant influx of support needs for viruses, lost or stolen devices, MFA confusion (or exhaustion), or email hazards. While these issues would tend to pile and multiply, this gave me a firm foundation for how to address the shortcomings in training and understanding by employees. I believe that, if human beings are the primary workforce, there are several things we must do as cybersecurity professionals to ensure that our organizations are safe, secure, and minimized from risk.
- Ongoing training
- I know how employees react to yet another training module. It can be like pulling teeth to get some people to complete their tasks on a timely basis. If we are not consistently training our employees on what to spot, how to spot it, and what to do when we see something, we are opening ourselves up for disaster. For the past several years, according to the FBI and CISA, over 90% of all cybersecurity incidents were the result of human error and interaction. When we lack the effort, or sometimes patience, to properly train employees, we are increasing our risk surface. Annual trainings are great but if they are not met with monthly, or at minimum quarterly, refreshers, cybersecurity safety is not sitting at the forefront. This training cannot be optional. Employees must know that training is a priority and must be followed up on.
- An Open Reporting Culture
- Seen more and more, people fear getting in trouble for making a mistake. While understandable, it must be stated that our organizations must approach incidents with understanding and care. If an employee believes that reporting this mistake will be met with an iron fist or a reprimand, they are far less likely to report at the first sign of a mistake. There are times when there must be some sort of negative reaction. Perhaps someone is viewing an illicit site that harbors viruses and malware. A negative reaction or reprimand would be suitable and expected. That said, people must know that if they make an understandable mistake, they will not be met with vitriol but with compassion. Reporting immediately is the number one goal after an incident so that remediation can begin instantly.
- Email Training
- While this seems obvious, it always amazes me how many organizations refrain from ongoing phishing email training. Your employees can never learn what to spot if they are not being tested. All employees must be tested and privileged users should be given additional testing. When an employee fails testing, we as cybersecurity professionals should be following up on this. What mistake was made? How can we help better understand how and why this happened? Do we need to begin individualized training for potential problem users? If you have privileged users who are consistently failing their testing, perhaps they need to have their privileged access revoked until certain training criteria are met.
- An Understanding of MFA
- The number of times I have worked with users who lament the use of multi-factor authentication is far too many to list. Most of our users do not understand how MFA works, they simply see it as a hindrance to accessing the items or platforms they are trying to access. Along with this understanding comes, at times, MFA exhaustion: the subconscious ability to simply hit approve when users are not legitimately accessing something. Always ensure that users understand how to safeguard data and how to keep private items private. I am on a personal mission with employees to stress the importance of MFA on personal items as well as corporate items, such as email and social media. In an ever less secure world, people must understand how to increase their personal and professional level of security.
Our job does not start and end with our job descriptions. That was never intended to be the end-all-be-all for our day-to-day routine. We, as subject matter experts, must stress the importance of cybersecurity in everything that we do. While these four points are not the all-encompassing points to ensuring corporate security, this is a solid starting point for all organizations to enact. If we do not take up the mantle of employee understanding and security, nobody else will.