Whether their actions are inadvertent or intentional, your employees represent a large security vulnerability. Here are 10 recommendations from security experts on how to safeguard your business by keeping your workforce aware of the risks.
From the ebook:
Employees are a company’s greatest asset, but also its greatest security risk. “If we look at security breaches over the last five to seven years, it’s pretty clear that people, whether it’s through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities,” said Eddie Schwartz, chair of ISACA’s Cyber Security Advisory Council.
In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. “Most organizations roll out an annual training and think it’s one and done,” Simpson said. “That’s not enough.”
Instead, he said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees on the latest security vulnerabilities and teach them how to recognize and avoid them.
“Your people are your assets, and you need to invest in them continually,” Simpson said. “If you don’t get your people patched continually, you’re always going to have vulnerabilities.” Even in a company with hundreds of employees, it’s worth training them as opposed to taking on the risk of a breach.
However, it’s important to empathize with your employees as well, said Forrester analyst Jeff Pollard. “People represent a large potential attack surface for every organization. The reason I don’t like to think of people as a security vulnerability is that it encourages a blame-the-victim mentality. Security teams exist to protect information, people, and the business.”
When a user makes a mistake and clicks on an email that causes an infection, we often think that was the cause, Pollard said. But that’s not actually the case—the organization was already under attack when the attacker sent the email, before it was opened. It also means every other security control in the path of that attack failed, he added.