Creating a Human-Centered Cyber Strategy
How to take a more human-centric approach to address security issues and priorities. Find out.
With recent changes to company dynamics, every employee, regardless of their role or status within an organization, is a potential target for cybercriminals. As a result, organizations must begin taking a more human-centric approach to cybersecurity, says Joseph Carson, chief security scientist and advisory CISO at Delinea.
With many organizations operating with employees dispersed both nationally and internationally, many now working from home or public networks, it has become increasingly challenging for organizations to maintain complete control over securing their business operations. At the onset of the pandemic, many employees were granted additional access to company systems to help streamline their productivity. Two years on, with many still working remotely, this extra layer of privilege and access remains in place.
Given the recent changes to company dynamics, every employee, regardless of their role or status within an organization, is a potential target for cybercriminals looking to gain initial access or move laterally through organizational networks to steal data and execute malicious software. While modern security discussions center around artificial intelligence, machine learning and automation as the best means to protect against attacks, an organization’s employees still often serve as the first line of defense. Thus, many could benefit from taking a more human-centric approach to address their security issues and priorities. Several initiatives can be implemented to establish this.
Identify Prevalent Insecurities
Organizations should regularly conduct security audits within each department, whether it be accounting or sales or marketing, to determine employees’ current behavior and approach to security. It is common that security procedures will differ depending on the department. For example, human resources will often have more rigid security controls due to the vast amount of confidential and sensitive Personal Identifiable Information (PII) dealt with. However, other departments may take a more relaxed approach, leaving them open and vulnerable targets for attacks.
To combat discrepancies and identify areas where security improvements are required, organizations should consider implementing periodic testing controls that highlight areas and departments where security knowledge and awareness may fall short. This can be done in numerous ways. One of the most common ways is to distribute company-controlled phishing email attempts to determine how employees respond. Should an employee interpret the email as legitimate, they are then automatically obligated to attend an anti-phishing and cyber hygiene training facilitated by a security team member. The main purpose here should not be to shame employees but to help empower them to identify and report potential phishing attacks in the future.
It is also a good practice to take stock of the security tools utilized in each department and their perceived level of importance. Is multi-factor authentication enabled and used? Is a password manager in place, are employees using it correctly, and does it help them with their tasks?
See More: Why Mid-market Companies Need Cybersecurity Now More than Ever
Embed Security Experts Everywhere
Security teams must also be at the focal point of strategy creation and execution. Security is no longer an afterthought and should be embedded into each and every initiative. Security should not just be by design but also by default. Security staff working directly with each business department promotes cross-collaboration and enhanced communication while helping to determine where gaps exist and where additional security budgets may need to be allocated.
Establish a cybersecurity ambassador or mentor for every department who can help assist with communicating department-specific security and compliance policies, detecting threats and responding to incidents. Delegating an IT person who understands the unique needs of each department can help maximize an organization’s security posture and understand the business needs. It is not just essential to ensure security is in place but also to ensure that it is helping the employee with their job. We need to focus on a zero friction security approach which prioritizes the need to make security help employees with their job.
Implement Seamless Security Solutions
Due to rising attack levels and growing pressure from board members and company executives, many organizations are investing and implementing new security tooling with little regard for direct end-users. Often, the security solutions deployed prove difficult for non-security experts to utilize and manage, causing frustration and resistance. In addition to investing in comprehensive security controls, organizations must dedicate an appropriate amount of time and resources to educating employees on how to operate and navigate such tooling to avoid misconfigurations, poor implementation, and overall friction.
Cybersecurity Awareness Training
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) also recommend that organizations create cybersecurity awareness initiatives that help build and enhance company-wide cyber-hygiene. Educate employees on the early signs of malicious activity and empower them to adopt password best practices, such as how to regularly create complex passwords and the best etiquette for storing them. Help them move to use password managers and move passwords into the background.
Security teams face a triage of alerts and noise with an expanded attack surface. Combine this with ongoing staffing shortages and employee burnout, and the fate of an organization’s security can no longer be held only in the hands of IT and security teams. Organizations can significantly reduce their risk by adopting a human-centered approach to security where all employees are equipped with the basic knowledge, skills and seamless technology needed to prevent malicious activity. After all, you are only ever as strong as your weakest link.
How are you making cybersecurity more human-focused? Tell us on Facebook, Twitter, and LinkedIn.
MORE ON CYBER STRATEGY:
- 5 Strategies SMBs Should Follow to Strengthen Cybersecurity
- Why Mid-market Companies Need Cybersecurity Now More than Ever
- Stopping the Next Wave of Cyberattacks with Collective Defense
Image Source: Shutterstock
