New Advancement in Technology: End-User Education
An organization’s cybersecurity system is only as strong as its weakest link.
The old expression that “humans are the weakest link” in any cybersecurity program seems truer than ever. Even with top-of-the-line security systems and protocols, companies are more likely to experience breaches from within.
Many businesses may invest large amounts of money in software, hardware, and services to help prevent cyberattacks. However, it is also crucial for an organization to get employees up to speed on the basics of cybersecurity best practices.
It all starts with the basics. Sometimes, employees are unaware of cyber threats and how they work. They may not be able to spot one, and they may not know how to appropriately respond once they encounter malware in action or see a suspicious account or suspicious application behavior.
Whether a breach is small or large, organizations should have an Incident Response (IR) plan to help mitigate the risks of being a cyberattack victim.
Some organizations will establish a Cybersecurity Incident Response Team (CSIRT) as part of their incident response plan. This team is responsible for the internal guidelines and procedures used to describe security tools and communication channels throughout the organization. Their goal is to have a plan that can be used to detect and react to computer security incidents, respond appropriately to the incident(s), communicate the results and risks to stakeholders, and reduce the likelihood of an incident reoccurring.
Attackers understand that they can get past hardware, software, and trained technical employees by going after untrained non-technical employees.
Training employees is an excellent way of enhancing security in an organization. Training should allow employees to quickly understand the different types of risks the organization may typically face. It should also train them on how and where the central point of contact for reporting incidents is.
The following are various ways of implementing security training within an organization:
- Computer-based training can be provided once a user has onboarded, yearly, quarterly, or as needed.
- Formal classes can be offered annually to each office/building to initiate best security awareness practices.
- One-on-one training can be available to users if they request additional training.
- Other types of training can be on-the-job or self-study.
By educating employees about cybersecurity risks, an organization creates a security-conscious mindset that can help prevent cybersecurity incidents.
Typically an Incident Response begins as soon as an incident is reported. This can ensure a timely response either by employees, end-users, vendors, or in-house IT staff members. The IT Help Desk can act as the central point of contact for reporting incidents. From the initial report, the IT Help Desk can be responsible for monitoring all forms of communications and keeping track of similar reporting(s), if any.
The CSIRT has the authority to declare an event as an incident; this will invoke the Incident Response Plan and call together the CSIRT to further investigate the incident.
Each organization should draft its own cybersecurity training strategy that best fits its needs. Some commonly known cybersecurity topics of training employees on detection may include how to:
- Spot phishing emails
- Detect unusual account or application behavior
- Respond to a potential or actual cyber threat (event)
- Implement best practices for password and user-access credentials
With human-based attacks reporting the highest growth rate, employee training and adoption of IT security educational programs should be a top priority for any organization aiming to secure its IT environment.
One of the critical parts of an Incident Response Plan is to contain the incident once a threat has been identified and confirmed to be hostile to the organization’s system/data. Containment aims to isolate the threat and possibly stop (minimize) the damage from further replicating itself.
The following consists of different training topics on ways to contain an incident:
- Isolate: Depending on the severity of impact, affected PCs are removed from the organization’s system so they can be isolated and dealt with.
- Disable: Whether it is system ports or just a user account affected by malware or virus, it is temporarily disabled from the organization’s system to defuse the distribution of attack.
- Blocking: Whether temporarily or long-term, things such as an affected port, compromised user accounts, impacted environment connections, stolen laptops, etc., are securely blocked to mitigate the problem.
- Lockdown: If unauthorized personnel access locations that host sensitive data or assets, security guards or mantraps can be added to secure a lockdown area.
Organizations should adopt a flexible training approach with training that can be continuously updated to include new threats internally and externally from the organizations. Training should allow employees to understand the latest cybersecurity best practices
Data collected from training employees can be used to improve the selection and implementation of additional security safeguards. Lesson Learned Data is considered actionable data, which is very valuable for any organization.
Security implementation works best if an organization educates and trains its employees.