Beyond the Breach: Securing Your IT Through Employee Awareness

Not even the most expensive security system can help you if you can’t “patch” your business’s greatest cybersecurity vulnerability: your staff. Research paints a sobering picture: according to a study by the Identity Management Institute, more than 90 percent of cyber attacks are only possible through information stolen from employees.

“Organizations still fail to protect their most valuable assets from hackers because they focus too much on network security while ignoring the employee identity theft and access exploitation risk,” explains Henry Bagdasarian, founder of Identity Management Institute.

Disturbingly Small Fraction

Despite the urgency of the situation, a disturbingly small fraction of businesses take action to minimize a perceived lack of cybersecurity training on their employees’ part. Companies may be loath to allocate the right amount of resources, believing that spending on training fails to provide a significant return on investment.

The growing cybersecurity training gap turns up again and again in numerous surveys. According to the Pew Research Center, only 50 percent of a representative sample of employees could answer a list of basic cybersecurity questions.

And less than half of companies provide any cybersecurity training (as found by an Experian/Ponemon Institute study) and more than half don’t retrain employees after a data breach occurs.

Strengthen Knowledge, Fortify Your Security

“Many security officers intuitively know that security education is an important line of defense against cybercrime,” explains Wombat Security Technologies’ President and CEO Joe Ferrara. “They have trouble convincing senior management to spend the money necessary to execute an effective training program.”

In reality, instituting employee training brings returns out of all proportion to the cost: reducing the risk of a cybersecurity breach by up to 70 percent, according to a Wombat Security Technologies study.

Improved cybersecurity training for employees should go further than just a single basic course for employees. The data suggests that cybersecurity awareness should cover the following:

  • Required, advanced-level training for all employees and contract workers – participants must finish their training with a complete understanding of the risks that can lead to a data breach
  • Retraining on an ongoing basis, addressing new and evolving threats. Compliance degrades rapidly within weeks of the training sessions’ completion, underscoring the need for regular retraining. Conversely, employees’ awareness of cybersecurity risks run highest immediately after a breach; employees should undergo a briefing in such an event.

“The single most important and cost-effective action any company can do to raise its game on information security is training, but it can’t be a one-time orientation video for new hires,” explains author, IP and legal security consultant James Pooley. “To be really effective, training has to be continuous; varied, so it’s interesting; world class, which means hiring experts, and inclusive, [which means] executives have to join in.” 

Carrot and Stick

But not even a training program can help a company that refuses to reinforce the new information with penalties or incentives.

“The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what’s learned,” explains Tom DeSot, Chief Information Officer of computer security provider Digital Defense.

The Experian/Ponemon Institute study bears this out: less than half of surveyed companies formally reprimand employees whose careless data habits cause a cybersecurity breach. And 67 percent of respondents have no incentives to encourage employees with good data habits.

Holding Everyone Accountable

“Employees aren’t being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats,” DeSot complains, recalling a social engineering experiment he performed on a client that yielded full access to the client’s network in less than an hour. “While they did have an information security training program in place, no one was enforcing the practices being taught,” DeSot recalls.

Another Problem Emerges: Security Fatigue

IT decision makers have a hard enough time making decisions for the benefit of your whole enterprise. Add the numerous decisions you have to make with regard to cybersecurity alone (What password do I use?,” “Who gets access to sensitive data?”) and it’s no surprise that some simply give up.

A new study from the National Institute of Standards and Technology (NIST) puts the spotlight on “security fatigue”: a trending decrease in cybersecurity vigilance and corresponding increase in risky behavior, experienced by users who are overwhelmed by the need to stay alert against threats to their data.

“We were completely surprised by our findings.” study co-author, Mary Theofanos of the NIST, explains in a video. “We found this underlying theme of fatigue and weariness which came with dread and resignation!”

Security and Psychology

Theofanos believes that “security fatigue” mirrors a phenomenon in psychology known as decision fatigue: “The more decisions we make in the course of the day, the harder [making] the decisions become,” Theofanos says. “What your brain does in response is, it goes into another mode: it tries to either avoid the decisions, or fall back on something that it knows how to do very easily, fall back on habits.”

This, Theofanos explains, is what the study found from its respondents: “They were no longer able to make decisions with respect to security.” Fatigued by fear and uncertainty, many users’ decisions swing toward impulse and lack of caution.

For example, users of your sensitive company data might resort to easier-to-remember passwords… that also happen to be easily teased out by a determined cybercriminal.

Users might also self-justify their lack of caution, claiming that their data is inconsequential to hackers; or say that IT vigilance is pointless, given that large companies regularly fall victim to hackers anyway.

This and many other manifestations of security fatigue are bound to cause trouble for your computer security, with major consequences down the road. Consider this: according to a 2016 Experian study, “one in five consumers notified of a breach stopped doing business with the company that compromised their personal information.”

Do the Right Thing

The solutions, explains Theofanos, tie into a key goal in cybersecurity: “to help users do the right thing, make it hard for them to do the wrong thing, and help them to recover when the wrong thing happens,” she explains.

Half of the solution relies on creating good cybersecurity habits: “We want to instill habits in people so people can fall back on those good habits, rather than avoiding those decisions,” Theofanos explains. This solution may involve security training for end users. Not only do end users get on board with the company’s IT security posture, this creates a fixed cybersecurity policy for them that helps avoid fatigue from dealing with uncertainty.

Theofanos also suggests that cybersecurity rules be simplified: “eliminate some of the decisions for users.” Some cybersecurity decisions might be taken off an end-user’s hands, reducing the risk for security fatigue down the road. “If the decision-making process is so difficult, why don’t we make some of those decisions for the users?” asks Theofanos.

Strengthening the cybersecurity weak link is now more important than ever. And companies can’t plead lack of budget, or lack of expertise to excuse their employees’ lack of cybersecurity training – third-party managed IT services can step in to provide the employee training that businesses sorely need these days.

In the end, cybersecurity becomes everyone’s responsibility: it’s on the employees to nurture good habits that keep breaches from occurring, and it’s on the upper management to foster training that makes those good habits possible and keeps breaches from occurring.

Asking for Help

A 2014 study by Dell reports that more than 75 percent of respondent organizations admitted to security breaches over the past year, but less than 20 percent prioritized the prediction and management of previously unknown threats.

“Organizations are being more reactive than proactive with their IT security resourcing,” the report states, “reacting to big IT trends, rather than spending money protecting the organization from unknown threats before suffering a breach.”

It’s understandable in hindsight: if your core business functions are already keeping you busy at all hours, it’s difficult to focus on building a defensive plan for your company’s data. But with the constantly changing nature of today’s security risk, you need to prioritize that security plan, or else.

An IT outsourcing services provider can build and maintain your security plan for you, allowing you to focus on building your core business, as well as get you started on understanding the threats to your enterprise and help you plan a response. Together with your services provider, you can ensure that your company’s intellectual and financial assets are well guarded, ideally behind several layers of protection that cover different elements of your network, including email, devices and user authentication.

Even with an outside provider picking up the slack, you need to be on the same page vis a vis threats and responses. The success or failure of your security plan may hinge on your ability to collaborate with your service provider on the following crucial elements:

Understanding, prioritizing your threats. At the outset, you and your services provider need to perform a risk assessment that identifies particular threats, evaluate weaknesses and the potential for damage, define responses, and build a plan to fix the weaknesses and respond to threats.

Pay special attention to the vulnerabilities you find, as they may turn out to exist not just in your technology, but in your processes and particularly your people as well. Sometimes social engineering tricks can overturn even the most well-thought-out defenses, like “found” USB sticks that load ransomware onto unsuspecting users’ computers.

Getting the whole company to sign on. “Enterprise security is a cross-departmental problem that affects many different stakeholders,” explains Elizabeth Lawler, CEO and Co-founder of security company Conjur, Inc. “Everyone from the C-suite to Operations, Development, and Security needs to be on the same page before any action takes place.”

In short, the days when information security was the sole concern of the IT department are over. Information security is now everybody’s business: an effective security plan requires everyone’s involvement in an organization-wide effort. This collaboration can be enforced through internal audits that review security policies and procedures; and by getting individual departments’ agreement on higher-level security planning.

“Your organization’s security requirements need to be carefully outlined and agreed upon while aligning with each department’s strategic goals for the year,” Lawler explains. “Approach these discussions with a sense of collaboration and without any confrontation.”

The growth of regulatory requirements has led some companies to take risks with their compliance. “Everybody tries to figure out how much risk they can assume without being embarrassed or caught,” explains David Taylor, Protegrity’s VP for data security strategies. “The people I regularly talk to are trying to figure out if [their security] fails, what’s the smallest amount they need to do to stay out of trouble and how they can blame someone else.”

Outsourcing your security plan can help you stay grounded. Outside services providers can serve as a third party that dispassionately ensures your security plan’s compliance with regulations that govern your industry, such as the Sarbanes-Oxley Act for publicly held companies, the Gramm-Leach-Bliley Act for financial services providers, and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers.

Strengthening the cybersecurity weak link is now more important than ever. And companies can’t plead lack of budget, or lack of expertise to excuse their employees’ lack of cybersecurity training – third-party managed IT services can step in to provide the employee training that businesses sorely need these days.

Andreas Krebs
Konica Minolta

This article originally appeared in the June 2017 issue of The Imaging Channel