Posted by Tim Femister on Oct 23, 2018 10:00:00 AM
The best defense against modern cybersecurity threats is not based on technology at all. While there’s currently a great deal of focus on Artificial Intelligence (AI), good-ole human intelligence is the secret ingredient. To effectively prevent your organization from falling victim to cyber attacks, it’s essential that your employees develop strong cyber instincts. We constantly coach customers on the idea that the strongest firewall you can own is a resilient, human firewall. The statistics are staggering: spear phishing accounts for 95% of enterprise network attacks, according to the SANS Institute.
Spear phishing is the most effective form of phishing whereby hackers perform advanced reconnaissance and target specific individuals via email. More than ever before, our lives – not just our organizations – are represented digitally. Popular, reputable research sites like Data.com and professional networking sites like LinkedIn make it easy to determine critical targeting variables, including company name, position, management structure, location, email, phone number, and more. Leveraging this information, an attacker can – with a high degree of confidence – craft a message to an employee posing as a reputable contact. This employee must act as a human firewall, defending your organization against the attempted attack.
In this blog post, I will share the first 5 steps to creating a cyber aware culture within any organization — a culture capable of effectively defending against modern threats.
1. Awareness Program Envisioning
We always encourage customers to start with posture before product. It’s important to review the current state of the program to determine what’s working and what’s not. If a program doesn’t exist, realize that you’ll need to take measurable steps and overcommunicate to ensure your messages resonate with employees.
2. Policy + Process Development
Now it’s time to develop specific policies and processes that will support the overall program. Solid policies set the foundation for structure and governance. End-user, executive, and IT teams need to possess a clear understanding of the expectations set forth by the policies. These policies will govern not just the actions of users, but also the program itself. From there, processes need to be established based on policies to ensure there’s clarity of action.
3. Scenario Building
We also want to thoroughly identify what we’re trying to protect. A fundamental element of the NIST 800-53 CSF is Identification. It’s difficult to protect something that you don’t know exists.
4. Engaging Trainings
Here’s the truth: A basic, online annual training isn’t going to generate mindfulness. These may check a compliance or policy box, but they won’t establish robust human firewalls. Trainings need to be engaging and provided in multiple formats. Users need to understand why it matters. It should be made clear that every single day, malicious bad actors are looking for people just like them to trick, deceive, and, ultimately, exploit.
Next, we want to maintain mindfulness. Breakrooms and hallways should have easily understandable awareness posters in each and every office. Digital signage screens should have awareness graphics in the rotation. We’re looking for simple reminders and messages that convey, “Hey—you there! Yeah, you – think before you click.” You’re not trying to teach it all in one short message, but rather maintain awareness.
These are the first 5 steps to establishing a sustainable and effective cyber awareness program and culture. Continue on to the second part of this blog series, where I walk through the next 5 steps—or if you are looking for a deeper dive into these 10 steps, download the full guide below!
[ GUIDE ] Building HUMAN FIREWALLS:
10 Steps to Cyber AWareness
Are your employees equipped to act as a human firewall, defending your organization against attempted cyber attacks?
Download the full guide for an extended overview of ConvergeOne’s 10 steps to creating a cyber aware culture, including key questions and ideas for tackling each step. The final 5 steps are examined in the guide:
Social Engineering Assessments
Metrics + Reporting