A long time ago in a galaxy far, far away, I was not a Security Consultant. I was a Chef. And I worked as a corporate Chef for an organization that required very long, complex passwords that had to change every 90 days and could not match your last 6 passwords. I was super busy, usually stressed, and the password expiration notice came up at the most inconvenient times. This made it frustrating and felt like a hassle. At this point, I did not understand the importance of keeping a password this secure, why my computer kept bothering me about updates, or why our security guards kept grilling my friends and vendors when they came to see me. I just didn’t realize how necessary it was for this particular organization to protect its data. And no one ever explained it.
Fast forward ten years later, and boy do I understand now. I think about how I felt in this situation often, and how little it might have taken for me to comprehend the reasons behind it. Although technical people may have a better understanding, it can be confusing and cumbersome for both technical and non-technical users alike.
The human element plays such an important part in an organization’s security defense. A good system can fail as a result of employee carelessness, indifference, frustration or resentment. Time and time again, humans expose vulnerabilities due to mistakes, ignorance or deliberate actions. This makes for a challenge with an almost unlimited number of variables. A user that is normally security aware can be having a bad day and make a mistake in a distracted moment. And considering the stresses of the last 18 months this may be more likely than ever. Top that with some work from home risks and garnish with opportunistic bad guys, and we have a recipe for attackers to snack on some malicious, delicious exploits.
So how do we reduce this risk? Training is the first line of defense. But the easiest solutions to check those boxes can be expensive, impersonal, and not always effective. Whenever possible, try to get someone in front of your people and give real world scenarios they can relate to. Employees can be the biggest liability or the greatest asset when it comes to protecting sensitive information. What are the real risks to them, their jobs and their clients if your organization were breached? What are the viable threat vectors? How can you empower employees to help keep data safe? How can you implement creative incentives to encourage them to be proactive? The answers to these questions can be very different between organizations.
I’ve listed some of the threats us humans are vulnerable to below. How to best build awareness and protection is going to be a more intimate decision. The size of the organization, budget, time constraints and a number of other factors can create challenges. Check back in with us soon for more information on how we may be able to help guide you and your employees in a safer direction.
The post Low Hanging Fruit Ninja: Slashing the Risks of the Human Element appeared first on Professionally Evil Insights.
Click to Open Code Editor