Imagine you invest millions in cybersecurity technology. Then, an untrained employee clicks on a link in an email. He just rained on your cyber parade and completely negated every measure you implemented. This scenario would be awful. However, it is not uncommon.
The most vulnerable part of any organization is its end-user. “Knowing is half the battle,” says Nathan Horne, a senior security engineer.” If you properly train your users, a decent portion of your concern goes away.
Typically phishing or malware occurs because an employee opens an email or goes on a website a CIS admin didn’t block. Unfortunately, you cannot stop the employee from checking their emails or surfing the web on their time off. There is no 100 percent block.
“You can’t protect people from themselves,” Horne says. “Honestly what a good portion of these appliances do is attempt to protect the end-user from themselves, but there is no such thing; You need to train,” he continues.
Start strategically training and watch the incidents drop. People that have the ability to control or direct funds are the most targeted. Therefore, they should be at the top of the training priority list.
Training comes in several forms; To start you can add cybersecurity to yearly corporate compliance training. Tyler Smith, a senior software engineer, recommends educating users that violate company policy.
For example, Smith was previously the head of a DLP program for an enterprise and he would see 200-300 hits on violation of policy. His co-workers suggested staying quiet because the violators were very important and busy people. Smith did the opposite and within 90 days that number dropped by two thirds.
Smith says most of the people violating the company policies were doing so because of broken business practices.
“People want to do the right thing. They just need to know what that is,” Smith says.