With few exceptions, recent major incidents can all be crunched down to one single thing – the human factor. Not “patching” the human firewall has proven to be hazardous and even fatal. And the common denominator spells a lack of a security awareness process.
Throw the concept “incident management” into a pit full of security experts and watch them go frenzy like sharks on Discovery. Suggestions of best practice solutions for best strategy in incident mitigation will hail. Seldom, if ever, the root cause will be addressed – the lack of effective security awareness.
One magic back door portal to your infrastructure is the password. In this article, it will act as an example for the argument as such.
Cracking passwords is the holy grail of many attacks. If successful, you’re in, undetected to wreak havoc, steal information and encrypt the endpoint in pursuit of ransom. So, having a secure password is of essence. Many claims how complex entropy, hashing stored passwords and two-factor authentications will secure your infrastructure, making it hard for brute force attacks, rainbow table or even dictionary attacks. The debate is ongoing as we speak, over which, if only one of these is the safest and most secure option.
Time out. How did we come to this? Solving a human issue with technology, often expensive at that?
The Achilles heel is (hu)man. All agree on this. Recent studies conclusively point to the human factor. Whether it is about incidents involving personal data or infrastructural breaches, it all boils down to the human firewall that is seldom “patched” if ever. And if you have a security awareness program, it is often one event you tick off annually instead of raising awareness all year round and focusing on the risk behaviors.
The typical user in our cyber era is mobile, communicative and needs to be protected on endpoint level as they are a vulnerable part of the internet of things. The back door into your infrastructure is, as previously stated, their passwords. We all know hacking via social engineering, shoulder surfing on a café or even finding one of their sticky notes with “Summer123456!” written on it poses a highway into your infrastructure. This is where security awareness could be a game changer. If a person knows how to conduct and behave – and create strong passwords – you are on your way to a more secure infrastructure. Weak passwords are like plywood doors, protecting the new gold – personal data. Knowing not to surf on open WiFi neetworks, to really stop and think, even ask a colleague before reacting can be the difference between a breach or not. So, you need to educate the people by raising awareness with focus on risk reduction.
But how does security awareness training come in to play? Surely technical tools are enough. Individuals need to understand why to do things in a certain way. The why is simple – it,s cheaper than any security tool if done right. The how is a little trickier.
- Security Awareness is a process, not a project or an event that is crossed off on the business checklist. The threat landscape is ever changing and in a constant flux. So does your process need to be. Day after day, year after year.
- Focus – one thing at a time, one topic at a time.
- Measure the effect – ensure you´re doing the right thing. Phishing simulations could very well be one such variable testing the effect of your awareness process.
Cyber-attacks exploit the human weaknesses, provoking mistakes to gain unlawful access to data, devices and network. At an employee level, continuously assuring alertness, knowledge and dialog are crucial parts of any organization’s defense. Without awareness training, employees will gradually forget, become less alert – and the security risk gap will increase over time.
Furthermore, pre- and post-training metrics on key digital security behaviors give you a clear indication of where to focus further risk reducing initiatives.
Robert Willborg, CISO Junglemap