There are commonly two trains of thoughts on cybersecurity in an organisation. From the IT side, the view is often ‘security is everyone’s responsibility’, whilst from the individuals perspective ‘the IT should protect me from the security stuff so I can just get on and do my job!’.
Whilst both views are entirely valid, they are usually present in an organisation and there is often a wide gap between these camps where breaches end up occurring. We have seen it all too often where IT throws a mandatory 30 minutes cybersecurity online training session at everyone and places a few posters around the building. They then come down hard on individuals when they click on a malicious link or otherwise do something that would make the IT Security folks scream in frustration.
The truth is that to get the required action, malicious actors most often target the most susceptible part of any IT system; the individuals who are trying to get their job done.
Maybe it is a person in Finance juggling multiple pressures, who receives dozens of invoices via pdf each day from all sorts of unknown sources and is expected to open each of these and load them into the organisations finance system. It only takes a moment to open a single malicious file, but when your job is to open files all day for processing, is it only the individuals fault if they open this file?
Maybe it is the receptionist; the first point of contact in an organisation, who is trying to present a friendly image and lets a caller know information that could help a malicious actor infiltrate the IT network.
We think that training needs to go hand-in-hand with tested processes in handling situations and what/how information should be disclosed alongside IT systems that stop malicious activities, either at the gateway (mail filters and URL sandboxing, for example from Mimecast or Proofpoint) or on the end-compute device (Antivirus, firewalls, web scanning, policies and restrictions).
Technology certainly plays a part but historically is very binary with allowing or blocking things (yes or no) and whilst technologies such as machine learning is being integrated into all sorts of solutions to help with grey-areas between yes and no; to automate making informed decisions as to if something falls into yes or no categories, inevitably things will fall through the IT security systems and be presented to the individuals.
Maybe training should be tailored to provide tips and techniques to improve the general security hygiene that can apply to individuals personal IT habits, rather than just at work. Maybe IT should be clear what protection is being used, but explain that threat actors are constantly changing their habits and that we need their help to protect the data, processes and systems. Carrot before the stick approach; you don’t want someone who has clicked on a malicious link by mistake to then not report it to IT for fear of repercussions. Maybe processes should allow for appropriate checks and balances to catch malicious activities and be regularly reviewed and tested. Maybe, maybe, maybe…
In short, this is an area where there is no one best or single way to deliver the perfect security. This needs to be tailored to the organisation based on the IT teams and systems in place, the organisation culture and risk management. We suggest you cannot rely solely on IT systems or training alone.