The age old problem of determining how to identify and mitigate risk has certainly been something organizations have struggled with for many years.
How do you protect your organization? What tools are the best in the marketplace? What tools are good enough and work with my budget? What is my long term plan and how do I get there?
All the above questions are something we deal with every day, but there is also another constant that we often overlook, our people — education about threats and how to address them on the front line.
Let’s face it, people are vulnerable and will always be. So much so, that the National Cyber Security Alliance dedicated a whole week to educating everyone on the culture of cyber security in the workplace during National Cyber Security Awareness Month (NCSAM).
We need to invest in technologies to help overcome our compulsive desire to click on links leading us to harm. At the same time, we cannot rely on technology alone. Training and education of all employees, from the CEO down to the mail room clerk, needs to still be a priority for organizations.
Will training stop everyone in your organization from clicking on links or doing other silly things that expose our organizations? No. But security is a game of mitigation and percentages. Implementing random security training to achieve some short term goals may reduce the likelihood of a successful attack - maybe by about 10-15%. What if, however, your organization spends more time and is more consistent with training and testing its effectiveness? That number could drastically rise to about 40-50%.
When talking to CISOs and executives about this issue, I often use the example of McDonald’s and advertising. Why does McDonald’s advertise? We all know McDonald’s exists. Everyone knows they exist! Yet they continue to have a sustained, repeated advertising campaign. Why? To stay at the top of the mind of consumers. They know that people forget, get distracted, and need reminded occasionally that McDonald’s is an option.
Training and education will never be a 100% solution to mitigate a threat, but in my book, 40-50% reduction is much more pleasing then a meager 10-15%.
The bottom line: Invest in your people and their security education with a sustained, repetitive training campaign. It will pay off to be as important as that fancy new security tool that promises “complete” security.