Security professionals have a saying: “The attacker only has to be right once, we have to be right every time.”
According to Jamie Winterton, director of strategy, ASU’s Global Security Initiative, it’s a call to action across the organization.
“Anyone attacking your organization only has to get in in one place,” she notes. “Once they get into the perimeter, it’s pretty easy for them to get around.”
According to Scott Shackelford, chair of the cybersecurity program at IU-Bloomington, “Some firms have lost more than $50 million in a single episode.”
If that’s not enough to make you sit up straight, consider the recent WannaCry ransomware attack that spread through vulnerable systems, including a lot of hospitals. Yikes!
This is the reason everyone needs to be vigilant about cybersecurity.
“Whether you’re in IT, or a call center, or in leadership, we’re all connected on the same network of computers,” Winterton explains. “It’s important for everybody to be cognizant of these threats so we can secure the whole thing.”
But too often, employees don’t take cybersecurity seriously because they don’t think it relates to them.
- They think, “I don’t deal with sensitive information.”
- They figure the work they do wouldn’t be that interesting to hackers
- They assume that because they’re not at a high level in the organization it doesn’t matter.
“Cybersecurity awareness isn’t just important for top management,” Shackelford asserts, “but for every level of an organization.”
That said, training employees to understand the cybersecurity world requires continuous attention because the threat surface is constantly evolving.
“It changes all the time,” Winterton says. “It’s tough to build a training package and have it remain relevant, even a year later. A lot of cybersecurity training tends to be from the past. We see a lot of training that actually gives bad recommendations on creating passwords, for example. The old ‘Hey, pick a word and replace the vowels with numbers,’ doesn’t work anymore. We need to stop telling people to do that.”
So how do you make your advice and training relevant?
- Keep it up-to-date based on the most current attacks and tactics. Outside experts can be a huge help here.
- “Make cybersecurity training engaging and relevant to the things that you do on a day-to-day basis, which are going to be different across the organization,” Winterton counsels.
- Use real-world anecdotes. “People can look at an example and put themselves in the shoes of the person in that example and think, ‘Gosh, what would I have done?’,” she adds.
- Make sure a large part of the training is done continuously, a little bit each day, as opposed to crammed into a single annual security training program.
A combination of all-inclusive, continuous, up-to-date, engaging and relevant training across an organization will make it harder for the attacker to be right, even once.