Seemingly every day, we’re reminded that companies need to work harder to stay secure during a time where cybercrime is rampant and many organizations remain vulnerable to attack. I’ve recently been speaking to the press about what can and should be done to mitigate these risks. I hope the following questions and answers will help shed some light on some key problems many organizations face, and help you decide what’s best for your business.<\/p>\n\n\n\n
What happens if an organization focuses too much on the technology aspect of security and not enough on people and process?<\/strong><\/p>\n\n\n\n Unfortunately, an organization is only as strong as its weakest link \u2013 and in terms of security, employees are by far the weakest link.<\/p>\n\n\n\n Technology plays an essential role in any defense, but at the same time technologies cannot stop an employee giving their details out over the phone to someone they believe is from the IT department. And it cannot stop an employee using their corporate password for on their favorite social media sites or writing down their hard to remember passwords.<\/p>\n\n\n\n Relying purely on technology as an organization\u2019s only form of defense is extremely short-sighted; failure is inevitable.<\/p>\n\n\n\n How often are companies attacked because of a vulnerability caused by employees or company processes?<\/strong><\/p>\n\n\n\n It\u2019s hard to put an exact number this. But from experience, I would suggest it\u2019s a very high percentage. Why wouldn\u2019t it be? Cybercriminals spend so much time, effort and money defeating a technology or defense when employees are such an easy target.<\/p>\n\n\n\n In terms of hackers getting in, the most common issues are misuse of social networking, weak passwords and password re-use, privilege creeping, malware and lack of system patching. But the real danger is employees being unaware of internal security policies or the ones that unfortunately do not care enough and are careless and complacent.<\/p>\n\n\n\n How can CIOs and CISOs go about strengthening their strategy around people and process to ensure cyberattacks aren\u2019t successful?<\/strong><\/p>\n\n\n\n There\u2019s no magic wand. There\u2019s an infinite number of initiatives that can be introduced to help mitigate risk, all at differing costs and complexity. In simple terms, it\u2019s about completing comprehensive risk assessments, creating policies and understanding industry best practices, evaluating possible technologies, and then, implementing a solution. More than anything, the plan needs buy-in at all levels and needs an appropriate budget.<\/p>\n\n\n\n Training should always be at the heart of an organization\u2019s security program as technology alone will not stand up against a motivated attacker. Everyone within the organization should be made responsible for the security of its assets.<\/p>\n\n\n\n It\u2019s also vital that personnel understand the technologies they are asked to manage and monitor. The intelligence gathered by security systems needs to be understood, so when an attack occurs, it is detected at the first possible opportunity with the correct processes and procedures, then followed.<\/p>\n\n\n\n How can CIOs and CISOs approach internal training and education in regard to security?<\/strong><\/p>\n\n\n\n Employee involvement is crucial for the success of an organization\u2019s security strategy. Creating a security task force whose members rotate so each employee has eventually been part of the task force is a great way to get everyone involved. Each task force could have a \u2018security champion\u2019, who would be the person who identifies the most beneficial improvement to current security processes. This system encourages employees to think actively as well as creatively about security to improve the company\u2019s security.<\/p>\n\n\n\n