Myth #1: The best (technical) defense is a good (cyber) offense
Fact: People are the biggest threat and by increasing awareness through education, you can reduce the risk of a potential cyber-attack.
Good technical and software management is the number one process required to deal with most cyber-attacks however, in isolation it cannot achieve everything. Employees and their lack of awareness skills are the biggest threat to most organisations. The correct technical barriers will help reduce the likelihood a successful cyber-attack and will also help in migrating the risk of a potential attack.
But employees are the biggest threat and by increasing awareness through education, you can reduce the risk of a potential cyber-attack. Even if your organisation has good security processes and procedures, and even if policy management is adhered to, employees may not be aware of the risks that their actions can have on their organisation.
One example would be employees bringing their own devices to work, as using a device without the latest update can put an organisation's network at risk. Similarly, using the same password for both work and personal accounts increases the risk of a data breach, as your password will be easier to guess if the same one is used on multiple accounts.
As humans, we will always make mistakes - it’s what makes us human after all. Unlike technology, we can’t be patched or upgraded to the latest version. We can, however, create user awareness programs to increase staff awareness within our organisations. Ad hoc security training may deliver short term results but an ongoing security awareness plan keeps information and cyber security a top priority. It prevents it from falling into the same training bracket as manual handling. For example, we all know that when lifting a heavy object we must lift with our knees but - how often do you actually do it? The same can be said for passwords or regular software updates. We all know that we must do this but how often is it a priority on a never-ending to-do list?
Let’s say that you did have to take a manual handling course every Monday for the foreseeable future until the awareness of manual handling had increased within the organisation. Would you start to discipline yourself more if you did not follow the correct guidelines or would you make your colleagues aware if they are doing the same thing?
Ongoing security awareness campaigns should not be delivered every Monday until the message is delivered. Instead, key messages should be delivered on an ongoing basis in a relevant and appropriate manner. These key messages should also highlight the risks and address any additional security problems.
Successful security awareness campaigns can help employees understand key security messages, recognise the security risks with BYOD and can also help to identify the cyber security risks that can result from their personal actions. To mitigate the risk of boredom within security awareness campaigns, many companies are now using a blended approach such as posters, screensavers, blogs and newsletters as well as engaging eLearning titles.