Create a human-centric cyber strategy

With recent changes in business dynamics, every employee, regardless of role or status within an organization, is a potential target for cybercriminals. As a result, organizations need to start taking a more human-centric approach to cybersecurity, says Joseph Carson, chief security scientist and advisory CISO at Delinea.

With many organizations operating with dispersed employees both nationally and internationally, many of whom now work from home or on public networks, it has become increasingly difficult for organizations to maintain full control over securing their business operations. Early in the pandemic, many employees gained additional access to company systems to help them streamline their productivity. Two years later, with many still working remotely, that extra layer of privilege and access remains in place.

Given recent changes in business dynamics, every employee, regardless of role or status within an organization, is a potential target for cybercriminals looking to gain initial access or move laterally to across organizational networks to steal data and execute malware. While modern security discussions focus on artificial intelligence, machine learning, and automation as the best ways to protect against attacks, an organization’s employees are often still the first line of defense. . Thus, many could benefit from a more human-centric approach to solving their security issues and priorities. Several initiatives can be implemented to establish it.

Identify common insecurities

Organizations should regularly conduct security audits within each department, whether accounting, sales, or marketing, to determine employees’ current behavior and approach to security. It is common for security procedures to differ by department. For example, human resources will often have more rigid security controls due to the large amount of confidential and sensitive personally identifiable information (PII) processed. However, other departments may take a more relaxed approach, leaving them open and vulnerable targets for attack.

To address the gaps and identify areas where security improvements are needed, organizations should consider implementing periodic testing controls that highlight areas and departments where security knowledge and awareness can be insufficient. This can be done in many ways. One of the most common ways is to broadcast company-controlled phishing scams to determine employee reaction. If an employee interprets the email as legitimate, then they are automatically required to undergo anti-phishing and cyber hygiene training conducted by a member of the security team. The main goal here should not be to shame employees, but to help them identify and report potential phishing attacks in the future.

It is also good practice to take stock of the security tools used in each department and their perceived level of importance. Is multi-factor authentication enabled and in use? Is a password manager in place, are employees using it correctly and does it help them with their tasks?

Learn more: Why midsize businesses need cybersecurity more than ever

Onboard security experts anywhere

Security teams should also be at the center of strategy creation and execution. Security is no longer an afterthought and must be built into every initiative. Security should not only be by design, but also by default. Security personnel working directly with each business department promote cross-collaboration and improved communication while helping to identify where gaps exist and where additional security budgets may need to be allocated.

Establish a cybersecurity ambassador or mentor for each department who can help communicate department-specific security and compliance policies, detect threats, and respond to incidents. Delegating an IT professional who understands the unique needs of each department can help optimize an organization’s security posture and understand business needs. It is not only essential to ensure that security is in place, but also to ensure that it helps the employee in their work. We need to focus on a frictionless approach to security that prioritizes the need to ensure that security helps employees in their jobs.

Implement transparent security solutions

Due to increasing levels of attack and growing pressure from board members and corporate executives, many organizations are investing and implementing new security tools without concern for direct end users. . Often, deployed security solutions prove difficult to use and manage for non-security experts, leading to frustration and resistance. In addition to investing in comprehensive security controls, organizations should dedicate sufficient time and resources to training employees on how to use and navigate these tools to avoid misconfigurations, improper implementation and general friction.

Cyber ​​Security Awareness Training

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) also recommend that organizations create cybersecurity awareness initiatives that help build and improve cyber hygiene at the workplace. ‘company wide. Educate employees on early signs of malicious activity and empower them to adopt password best practices, such as how to regularly create complex passwords and the best etiquette for storing them. Help them use password managers and move passwords in the background.

Security teams face triage of alerts and noise with an expansive attack surface. Combine that with staffing shortages and employee burnout, and the fate of an organization’s security can no longer be held solely in the hands of IT and security teams. Organizations can significantly reduce their risk by adopting a human-centric approach to security, in which all employees have the basic knowledge, skills and transparent technology necessary to prevent malicious activity. After all, you are only ever as strong as your weakest link.

How are you making cybersecurity more human-centric? Tell us about Facebook, Twitterand LinkedIn.


Image source: Shutterstock

Leave a Reply