The Best Cybersecurity Programs Put Employee Training First

Posted on by Robert Ackerman

Timely advice about creating a worthwhile corporate cybersecurity strategy sagely starts today by realizing that establishing firewalls and relying on the IT department to monitor attacks isn’t sufficient. Reactive strategies break down over time, making proactive strategies crucial. 

Further, defensive strategies work only within centralized, controlled and managed-device networks – all now tottering on the edge of extinction amid the proliferation of cloud computing, the Internet of Things (IoT) and mobile technology. 

Experience continually reinforces the reality that the human element is the weakest link in cybersecurity. This means the most important proactive strategy of all is to train everybody in a corporation – and I mean everybody – in good cybersecurity practices, along with their contractors and vendors. All employees should not only understand what is expected of them regarding company security policy and good online behavior, but also be trained to spot nefarious or suspicious activity and to conduct periodic tests to ensure best practices are followed. 

It is employees, after all, who are the first – as well as the last – line of cyber defense. 

Corporations need to balance technological deterrents with agile, human-centric defenses. This is instrumental because cyber technology continually evolves, which means purely technological solutions cannot keep pace. In addition, it is much tougher to play defense than offense, and attackers, unlike defenders, have patience on their side. And, too, many attackers are typically as knowledgeable as corporate cybersecurity pros and only to have to be right once to be successful, while cyber defenders have to be right all the time. 

The cost of not getting cybersecurity right can be devastating. Pharmaceutical giant Merck, one of the victims of this summer’s NotPetya ransomware attack, recently said it cost the company $300 million in Q3 and may reach that level again in Q4. The attack was disseminated through Windows, and Merck may have been vulnerable because it apparently wasn’t running the latest, more secure version of Windows corporate-wide. 

Assume Defenses Will Be Breached

Regardless, it is best to assume that defenses will be compromised at some point – no organization is cyberattack-proof – and to train employees what to do when that happens. The sustainability of the business ultimately hinges on what every employee, internally and externally, does. 

Training alone, of course, isn’t sufficient. Once it’s in place, corporations also need to create a highly tailored cybersecurity strategy. 

Companies must reevaluate how their systems and networks are used and who uses them, and then implement a feedback loop. It would be wise to start with technical assessment of current areas of weakness and then follow up with a review of non-technical matters. The technical assessment helps identify vulnerabilities within the network. Policy and employee assessments help identify non-technical areas that need to be assessed. It is essential that this process be open ended and repeated regularly.  Networks are dynamic. Assessments also must be. 

Specific security programs then need to be implemented, plus steps to assure follow-through, such as the application of software updates and patches to help minimize vulnerabilities. Policies should also identify roles and responsibilities, including acceptable use conditions for employees, and a point person needs to be chosen to make sure these are implemented and maintained. 

Employees must be taught to recognize deceptive cyber ploys and other common threats to help enable them to act as the first line of defense against cyber attacks. In addition, they should be instructed about safe password management and secure browsing practices. 

Cybersecurity Security Should Be Shaped By Technical – and Non-Technical -- People 

Along the way, both technical and non-technical players should participate in shaping a security strategy. The technical folks ensure that the plan satisfies the needs of IT and business operations. Non-technical folks, meanwhile, are usually better at nudging employees to take corporate cybersecurity policy seriously and at monitoring employee cyber policy. 

Corporations also must establish protective monitoring to prevent and deter “insider” threats, whether intentional or accidental. This provides an over-arching view of cyber activity throughout the corporation and supports a positive culture to deter bad behavior. And, of course, it helps companies combat the threat posed by insiders. 

Most important of all, corporations and other organizations must build a solid and highly tailored cybersecurity foundation – i.e., a sound analysis of security capabilities from a bottom-up, device-centric perspective. The application of traditional firewalls, intrusion prevention systems and multi-factor authentication (moving beyond two factors), for example, typically needs to be tweaked or changed substantially, depending on the devices and nodes used in a corporation. 

Also part of a good foundation is an appreciation of context, which is how the network interacts with particular devices, as well as the realization that corporations must play offense, as well as defense. 

Regarding context, company security staffers must determine which network nodes they can control and which they can merely observe in an advantageous manner. IoT devices, for example, offer the least control. Companies with lots of these might want to consider the so-called “ring-fence” approach. This entails drawing a perimeter around devices that require access to similar resources in an effort to better monitor overall cyber behavior and react more quickly to problems. 

Red Teams and Blue Teams 

Offense is often as important as defense because it helps instill a mindset of continuous cybersecurity improvement. Corporations should regularly challenge the quality of their cybersecurity defenses via proactive testing, commonly known as “red team, blue team exercises.” Penetration tests and threat modeling, for instance, enables a red team to challenge lower-profile attack avenues to better understand their vulnerabilities. Defense-oriented blue teams, meanwhile, can help fix the security weaknesses unearthed. 

When the development and implementation of a cybersecurity strategy is completed, companies should take the trouble to gauge whether it is sufficient. 

Here is an informal checklist:

  • Is cybersecurity policy driven from the top of the organization? A strong cyber strategy is a core corporate message, and it is driven by senior management. Remember, cyber security is about risk throughout the enterprise. IT is simply the vector.
  • Does cybersecurity come up at or near the start of every meaningful IT discussion? It’s much easier to implement cybersecurity early in the lifecycle, rather than as an add-on.
  • Is cybersecurity communicated in basic English? Every employee should understand what they need to know about cybersecurity. “Geek speak” is a no-no.
  • Has your company established a predictive security edge? Do you have the wherewithal to anticipate your adversary’s next move?
  • Does your data security system work in harmony? In other words, do your people, processes and technology work well together?
  • Are there ample “change agents” spread throughout the corporation? Advocates help spread the cybersecurity vision across the enterprise.
  • Does your corporation embrace cybersecurity? Cybersecurity is part of your cultural DNA. As such, it’s factored into all business decisions. Your organization naturally embraces good cybersecurity policies – without a second thought. 

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Security Strategy & Architecture

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs