Written by Kathy Gleason, CHC, HIT+ Compliance Analyst for c1secure
Two commonalities exist in the majority of data breaches; malicious intent by an individual or group, and a vulnerability to be exploited from within the organization. Statistics abound in the media and a myriad of cybersecurity firms offer reports with the desire to help reduce the occurrences of data breaches. The fact remains, that there are many ways to aid your particular mission, but if you can focus on mitigating these two commonalities, your risk of a breach will decrease dramatically.
Technology enabled solutions continue to advance on a daily basis, similarly so are the abilities of hackers, resulting in the familiar “what came first” (chicken or the egg) paradox. Using technological advances in your environment is certainly a prudent defense, but there is another major area of vulnerability that needs constant supervision and maintenance – the Human Factor. As trends and facts indicate (Anthem, Target, etc.) the user is frequently the weakest link in a defense-in-depth model. Hackers seek to gain access in a variety of ways, including targeting staff through cleverly disguised impersonation schemes. They only need find one person who falls for the trick and the hacker gains access.
To address the Human Factor, security training programs must go beyond just security awareness; it’s really about building a culture of “security intelligence”. A user of corporate systems being “aware” of risks is important, but that same user being “intelligent” enough to recognize a threat and take the proper action is where your culture needs to be. It’s a more robust approach, exceeding the traditional “what might happen” to include; “when” it happens, this is what you’ll see, and this is what you can do to mitigate the risk. There are no simple methods, “security intelligence” requires design, implementation and maintenance of a program that informs and educates the user with content and frequency. The resultant user behavior, when faced with a potentially malicious email, phone call or unexpected visitor, will be to; stop, think and report.
Vast arrays of resources are available to enable “security intelligence” objectives. These resources are displacing existing approaches that include; awareness training at orientation and then annually thereafter, the mandated annual training accompanied by a questionnaire, or the self-paced narrative for employees to complete with no interaction or discussion. Current economics now support the investments required to make a change. Recent data breach cost estimates approaching $ 100 million each justify expenditures for robust training applications that average $8-$10/year/user or less, and there is also the existence of freeware.
A successful Security Intelligence Training program needs the following components:
Even with a robust program, it is possible a breach may still occur. To further validate effectiveness, some companies are contracting with independent third parties. These parties randomly test the Human Factor components of a program via impersonation techniques. In addition, some are engaging external parties to maintain and facilitate the “security intelligence” training program.
The key goes beyond creation and implementation. Success exists in the continuous execution and testing of an established “security intelligence” training program and associated protocol. Take care of your users, train them with relevant, intelligent content, a robust delivery method and they’ll take care of you.