Upgrading your 'Human Firewall'.
Updated: Nov 28, 2019
With the 'Human Factor' being consistently being reported as being at the heart of nearly every security breach/incident, why doesn't the industry or business place more importance on embracing the development of a mature company-wide security culture? For example:
PCI DSS 6.5, 12.6 & 12.6.1 - Software Developer training & End User training.
CIS 20 CSC (No. 17) - Implement a Security Awareness & Training Program.
NIST PR. AT - Awareness & Training.
ISO/IEC 27001/2013 (7.3) - Awareness.
Attackers in the Cyber Space are opportunists, who spend a great deal of their time honing their skills at identifying and exploiting any vulnerabilities they discover. This tends to be their primary role and remain fully focused on the tasks ahead of them. On the flip side, businesses are in the business of making a profit. In order to be successful, they need reliable technology to efficiently store, process and transmit sensitive data. Consequently, their focus is on carrying out business operations and the security implication become an insignificant inconvenience and so any time spent training their personnel is seen as time that their personnel are not being productive and are not being as profitable. However, this is becoming detrimental and can prove to be a false economy. Balance the training investment versus the costs of a data breach, inefficient use of the technology (i.e. unfamiliar technologies), the loss of productivity from an unavailable system/data asset (i.e. Ransomware), or the time wasted through inefficient use of emails. When you balance these negatives against the potential benefits of a well-developed and tailored security awareness programme starts to look like a more attractive business investment decision.
Developing an effective Cybersecurity Awareness Programme.
This becomes the next significant challenge for a business. A seasoned InfoSec specialist may be able to create some relevant content but do they also possession the design skills (make the content presentable), coding skills (gamerfication), multilingual (delivery across multiple countries) and the time to do justice to the content, ensuring that it can suitable for a wider-ranging demographic of target audiences? In order to provide the value and to keep the audience interested, so as to retain some of the security messages a business wishes to communicate (remember effective communication is 80% listening and just 20% talking). With their being a significant shortfall in skilled cybersecurity specialists, these tend to be an extremely expensive commodity which could be better served providing other services, rather than content development. That said, are businesses:
'Damned if they do, Damned if they don't?'
Not necessarily, if you choose the right supportive product which could support the effective creation of more effective, efficient and well-designed content.
For example, imagine your InfoSec Manager receives £222 per day:
12 days researching content for presentation = £2664 p.a.
6 days delivering presentations = £1333 p.a.
24 days researching and writing content for monthly newsletters = £5328 p.a.
52 days designing and developing interactive gamerfication = £11544 p.a.
6 days delivering security awareness posters = £1333 p.a.
30 days carrying out Phishing/Vishing simulations = £6660 p.a.
24 days analysis & metrics creation = £5328 p.a.
This short example results in an investment of 154 days p.a. and an investment £32,857 for a product that is likely to have been created alongside multiple other priorities and with limited resources. All of which results in the output of a sub-standard output that may do little to create the desired effect of investing in the creation of your 'Human Firewall' to help enhance your cyber defences.
If you are serious about improving your cyber resilience and defences, but are struggling to deliver continual high standards of interesting and relevant content that would help to develop the capabilities of your 'Human Firewall', why not investigate benefits out outsourcing your security awareness content to a reputable 3rd party vendor (e.g. KnowBe4)?
As a business, you will still own your 'Human Firewall' strategy tailored to meet the uniqueness of your business but using the numerous resource library of security material made available to you, as part of your subscription with the vendor.
As a result of this investment, your business will help to decrease the workload on your, often overstretched, InfoSec resources allowing them more time to work proactively in defending and providing the much needed reassurance to the organisation, whilst creating Legions of knowledgeable 'security champions'.
Any cursory glance of the headlines of a daily newspaper is likely to reveal yet another occurrence of one more unfortunate company that has fallen fowl of an oversight (e.g. poorly coded website, missed update, etc.) or accidental action (e.g. clicking on a malicious link), which has provided the opportunity of your attackers to gain advantage for unauthorised access to your, or your customers, sensitive data. With every opportunity gained, your attackers are increasingly becoming successful at turning this into monetary gains. This, in turn, makes this an increasingly attractive low-cost vocation for the 'bored teenager' or organised criminal group. Each aggressor is not precious as to who they target, as long as they see a return on their investment for a relatively small investment (e.g. time, effort, etc.), so targeting the exploitation of a business's 'Human Firewall' becomes an increasingly attractive proposition for your enemies.
Remember, effective cyber defences relies on far more than 'Technological' measures, with 2/3s being around effective 'People & Process'. Therefore, if you have an imbalance within your Cybersecurity eco-structure you may wish to look and rebalancing this with further investments training your 'Human Firewall', through a mix of outsourced content and On The Job specialist training.