Have you registered for the Mimecast Cyber Resilience Summit Oct. 28-30th in Dallas, Texas?
Where IT and Security Professionals come together to make the world a more resilient place.
Your organization has been, and will be, attacked. The sophistication of these attacks has changed over time and will continue to evolve. Many organizations have increased their focus on prevention, but where should one start?
As security professionals, we want to prevent cyberattacks, but how do we avoid security fatigue? Attackers are, and always will be, more advanced than our users. Beyond prevention, we need detection and response, but is that enough? And when does it become too much?
It’s vital to implement not just security protocols, but the right procedures to ensure you are effectively leveraging your users as part of your security posture, while also not desensitizing them to processes.
Users need cyber awareness training and it cannot be annually, bi-quarterly, or monthly – it needs to be a continuous activity. However, it’s a fine line between training and checking a box.
For example, forcing your users to take training such as the following will not achieve any actionable results:
“Bill got an email from HR@Gmail.com asking for his Social Security Number. What should Bill do?
Option A: Reply with the information requested.
Option B: Delete the email, open a ticket with IT security and never share personal information with anyone outside the organization.”
In fact, according to new Mimecast global research conducted by Vanson Bourne:
In addition to prevention, it has now become crucial for organizations to perform regular, and effective, training for their entire user base. While executives and those in finance or positions that handle sensitive data are important, it has become the responsibility of every user to be vigilant against the latest threats. So, how do you do it? How do you protect yourself and your organization?
An organization may implement something like two-factor authentication – yet there are some that create an almost Pavlovian response. Sign into an application, phone dings, click the link to verify. Sign into another application, rinse and repeat.
Creating habits weakens your security. Instead, leverage effective methods of cyber awareness training. Send phishing emails to test your users, and track their results, but make them convincing and engaging. Like the ineffective test question above, testing your users with simplistic or overly obvious phishing test emails will not be effective, nor will forcing them to watch or attend hours long training.
The most effective methodology to train your users, without damaging your security posture, is through the appropriate formula. You can start with these three tips:
I recently spoke with a director of IT at a conference who explained they have been using a security awareness training software for over a year and it had reduced their user failure by over 30%. However, a user who had never fallen for one of the phishing simulations was their first user to fall for a phishing attack.
The results you achieve are only as effective as the cybersecurity tools being leveraged.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly