A widely cited study concludes that 90 percent of data breaches are caused by employee error. I think that’s a terribly unfair and counterproductive way to characterize today’s cybersecurity crisis. Blaming end users makes matters worse. Employees feel stupid, ashamed and culpable, while bosses and security professionals are handed a convenient scapegoat.
There are literally billions of phishing attempts every day. Hackers only need to hook a tiny fraction in order to win. Even the most careful and informed users will get tricked from time to time. It’s happened to me at least twice in recent years: once when I was in a rush and clicked a link I received from a person I trusted, and another time when a scammer fooled me by impersonating a company I’d done business with.
What should we expect of employees?
We should not expect employees to be the main line of defense for corporate systems. But what is reasonable?
- We should expect employees to be honest about security concerns and not feel shame when they click a link they should have avoided. The culture should encourage and reward transparent reporting because that’s the best way to stay abreast of emerging cyber risks
- It’s reasonable to expect employees to understand and follow the incident reporting process
- Employees should know who’s responsible for information and operational security
Employees need tools, not blame
Training is the usual prescription to improve employee security performance, and it’s fine as far as it goes. But even if employees spent half their time (!) in training, it wouldn’t solve the problem. Employees need simple, but powerful and appropriate tools to do their jobs.
Employees should be able to:
- Check and run files in a safe and secure sandbox
- Verify the validity of links and URLs
- Search for, manage and remove personally identifiable information on their own computer
What about the C-suite and security team?
When I was a child growing up in Washington, DC we toured FBI headquarters. At the start of the tour, they showed us the Top 10 Wanted posters, displaying mug shots and information about the worst criminals in the country. They asked us if we’d seen any of these people and told us to keep an eye out for them.
My father leaned over to me and whispered, “If that’s how they hope to catch criminals, we’re in worse shape than I thought.” Thankfully, the FBI does have more reliable options and so do companies.
Here’s some things that company leaders and security teams should do:
- Apply defense-in-depth and zero-trust techniques across the entire enterprise
- Implement active network and endpoint monitoring for intrusion detection and prevention
- Collect threat intelligence from open sources and maintain an accurate risk assessment
- Forget scoped audits and policy limitations; acknowledge that criminals can and will use all techniques available
- Have a competent cyber security company on retainer ready for incidents
- Perform at least one live annual incident response drill
Fundamental Cyber is dedicated to protecting companies and employees from cyber criminals and to enabling compliance with privacy and security regulations including GDPR and HIPAA. Our user-friendly, affordable software tools enable people to work safely at home or in the office. Learn the fundamentals at https://fundamentalcyber.com.