There’s a popular saying in the cybersecurity industry: people are your first line of defence. This is because, with poor cybersecurity hygiene, employees are likelier to click on phishing emails and potentially introduce the company to devastating cyber-attacks. But, by providing employees with cybersecurity training, companies can prevent cyber-attacks caused by human error.
The three pillars of cyber security – people, process, and technology – have been integral components and fundamental for years in developing our cyber security and infosec strategies to optimise the security of many of our corporate infrastructures.
With the ever increasing complex and sophisticated cyber threat landscape, the goal for cyber security professionals in protecting our networks in this tyranny of urgent with minimal resources and reducing budgets remains challenging.
For me, our people are our greatest asset, influencing and developing that security focussed culture amongst our people is critical to prevent and reduce attacks. Whilst our people are at the forefront, the integrated and complimentary “process” and “technology” pillars, correctly applied, go a long way to improve security.
Some perceive our people as our greatest risk; however, we need to change that mindset and ensure that the incentivised commitment and engagement from our people to cyber security, remains an essential component of a strong cyber defence. It remains critical as part of our cyber security delivery, to focus on the human aspect in developing and improving our overarching organisational cyber security posture.
Securing management buy-in in driving that incentivised, non-blameworthy, cyber culture of challenge, focussing on security as an enabler, positions your organisation favourably with your customer base. It demonstrates that by securing information assets effectively your organisation proves itself worthy of the trust that your customers, suppliers and stakeholders place in it when they share personal or business data.
As part of that layered “Defence in Depth” approach to cyber security a comprehensive security awareness training programme for our people is vital. By implementing and developing an internal and externally supplied, often automated, cyber security training programme, you will foster a culture of awareness and confidence, enabling your resources to identify suspicious and malicious attempts to unlawfully access your network.
People participation and training in platform-based programmes simulating phishing emails, ransomware attacks, business email compromise, weak passwords, social engineering and more will strengthen their ability to recognise malevolence and conquer human error.
It is however crucial to remember that in building a comprehensive training plan through traditional teaching methods and automation and strengthening the human defence within an organisation is only one part of this layered defence in depth strategy.
The Process and Technology pillars require equal application and attention to strengthen defence and very much compliment that robust training regime. Other automated processes such as Intrusion Detection & Prevention Systems (IDPS), Security Information & Event Management (SIEM) technologies, System Monitoring Extended Detection Response (XDR) and much more all form crucial components of the security stack in preventing cyber-attacks on your organisation.
Promoting that inquisitive, suspicious culture for our people through awareness training strengthens our position but also, we need to target and regularly review our core business processes to ensure when that unsolicited fraudulent email arrives our training and processes ensure criminal behaviour is halted at source.
With the shift in criminal trends from the physical to the virtual space, cyber security is a problem that continues to grow exponentially. We can, through suitably applied methodologies, reduce that opportunity of criminal intrusions and with improved investment in that comprehensive cyber security training programme, an organisation takes a step in the right direction.
Eamonn Keane is VP Security Services at Systal Technology Solutions, responsible for the custom focussed delivery of a range of defence in depth methodologies to ensure optimum organisational Infosec and Cyber security. Eamonn extends his 40 year Law Enforcement investigative career concluding with the investigation of SOC cybercrime and fraud into the private sector.
Contact Systal's Experts