Danny Lopez at Glasswall Solutions argues that, while cyber security training is essential, organisations need to support it with investments in technology
Make no mistake, comprehensive cyber-security training is a core component of an organisation’s risk mitigation strategy. But it’s not a silver bullet.
Yet across many leadership teams, training is seen as a relatively inexpensive way to address cyber-security weaknesses. Compared to technology investment and implementation, for example, training staff to help reduce the risk of a cyber-security breach can feel like a relatively quick, inexpensive, and simple process.
Without doubt, it’s an important part of a rounded strategy, given the role people play in preventing attacks. Indeed, a recent study revealed that human error is actually the leading cause of data breaches, with 88% attributable to employee errors. As a result, building cyber-security awareness knowledge and effective processes has become part of the standard approach for organisations everywhere.
The problem is, however, that an over-reliance on user training can result in a false sense of security, and the truth is that organisations shouldn’t expect it to close all the gaps. Consider any form of one-off or infrequent staff training – assuming people will leave the classroom and then remember every detail, rule, and process is impractical.
In the cyber-security context, this can significantly increase the risk of a breach, especially given the growing sophistication and frequency of cyber-attacks.
A better way
In many circumstances, the reliance on end users’ awareness training also runs much deeper into an organisational culture of enforcement. In these situations, employees are put front and centre in the defence against cyber-attacks, frequently reminded that they must not be the weak link.
The problem is, this can actually do more harm than good because the fear of being responsible for a breach actually discourages people from reporting potential threats or actual attacks.
In the real world, everyone makes errors – even those who have received the most comprehensive training. And when the culture isn’t right, the net result is that some people will feel it’s better to say nothing about a mistake in their approach to cyber-security than to share details which might help mitigate an attack.
Take file-based threats, for example, which remain one of the most common ways for cyber-criminals to deliver malware, ransomware or other malicious code. Even though it’s now common knowledge among many people that they shouldn’t click on attachments or links – especially from unknown sources – it’s still difficult to avoid.
Many people simply forget, or the cyber-criminal creates a sophisticated attack that appears to be from a trusted source. Whatever the reason, employees shouldn’t be in the front line against this daily risk.
Instead, employers should be creating a culture where sharing cyber-security concerns – and mistakes – is actively encouraged. This starts with a shared understanding that while cyber-security training is important and to be taken seriously, it is only part of a wider strategy.
Ultimately, an organisation where employees raise the alarm if they think there is a risk or that a breach has actually occurred is likely to be more secure than those who don’t. Whether they are right or wrong is not the point – employees should be encouraged to always share their concerns if something doesn’t feel right or they might have made a mistake.
Pursuing proactive strategies
To make this approach truly effective, organisations also need to identify and implement the right technology solutions that shift the burden of protection away from employees. This kind of proactive approach can seem at odds with the strategy employed by many organisations and security teams. For instance, the widespread reliance on reactive cyber-security technologies, such as antivirus and sandboxing solutions, leaves networks with potentially serious vulnerabilities and blindspots.
These technologies still play a key role, but new and emerging threats can remain undetected for days or even weeks until these tools are updated to identify and mitigate them. In the meantime, employees and IT systems are more vulnerable to attack, and no amount of awareness training can hope to address the rapidly shifting tactics employed by today’s cyber-criminals.
A more rounded approach where employee awareness is supported by solutions that proactively identify and mitigate threats holds the key to ensuring training is no longer a sticking plaster against the potential injury caused by a breach.
Building and maintaining a successful cyber-security strategy requires that training and technology must combine. Given the growth in the volume and sophistication of attacks, it’s a change of approach that can deliver transformational impact.
Those organisations that balance effective user training with positive culture and proactive technologies are much more likely to defeat the daily risks their employees face.
Danny Lopez is CEO at Glasswall Solutions
Main image courtesy of iStockPhoto.com