By Keith S. Crumpton, vCISO / Senior Security Architect
Today’s threat landscape, more than ever, is beyond the technical control of a business. The human element, employees, represents an organization’s greatest weakness in the information security arsenal. Yet they are also a company’s greatest defense and most important tool against the cybercriminal.
Employees need to be aware of what might be used against them, so they don’t unknowingly contribute to a security incident or breach. Employee performance is dependent on how well they are educated regarding the threats they may encounter and how to respond to those threats. If the response does not fully protect the information, it’s imperative that they understand the best way to communicate the threat, without risk of reprisal, to those that can and will help.
Security awareness education activities and reinforcement are low-cost methods of empowering employees. The investment is cheaper than the cost of a potential loss if an employee clicks on the wrong link, visits the wrong website, or believes a spoof email to be true and subsequently transfers funds to parts unknown.
The days of ignoring or minimizing threats are over. More and more organizations are being targeted and security vulnerabilities exploited as cybercriminals seek to obtain the information “payload” these companies possess.
Consider a typical law firm. A law firm client might engage them for the purchase of a home. As part of the transaction, the law firm may obtain the client’s last three years’ tax returns, a recent paystub, their credit report, social security number, listing of all their assets, bank accounts with account numbers and most recent balance, credit card numbers with most recent balances (in some cases the actual statements), current address, phone numbers and other personal information. The information represents a data payload. To security professionals, a data “payload” is where an individual’s data elements (personal information) are combined in a nice, easy-to-access package.
The law firm above is only one example; the concept of a data payload exists in all organizations. It just needs to be identified and defined. Educating your employees to know your business, the data flows, and who the responsible individuals are will help employees understand their roles and responsibilities towards security activities in order to protect the company data, and ultimately the company itself.
To ensure the most effective training for your employees, choose the most applicable educational content. Some security education topics may not be pertinent and could therefore be a waste of the employee’s time. Knowing your employees, their roles and responsibilities, provides background for tailoring security awareness education for the individual.
Employee education is key to ensuring your organization’s information is protected. Provide them the tools they need to protect it–education, processes, procedures and software, to name a few. However, if you can only focus on one, make it EDUCATION. Without that, nothing else matters.