The greatest myth is that staff members are the biggest security problem; instead, flip the script.
Many companies believe the greatest risk in cybersecurity is the behavior of their end users. With one wrong click or website visit, the entire enterprise could be at risk. In response, many IT/security teams have focused much of their attention on end-user training.
While this seems obvious on its face, the logic is flawed. We know that humans will always be fallible; it’s a simple byproduct of being human. If IT is focused on trying to create battalions of cyber-perfect, machine-like employees who can instantly discern a phishing email, they are doomed to be hacked.
Consider this: Today’s large enterprises often have tens of thousands of employees. Threat actors are continuously sending out mass phishing emails as well as tailored spear phishing emails to those employees to gain a foot in the door to the corporate network. If all it takes is one wrong move by one of those 10,000 employees to compromise the defensive armor (or a .0001 failure rate, which would be considered a “win” on most reports), the enterprise is doomed. Unfortunately, real-world failure rates are far higher–a report late last year revealed that 11 percent failed phishing email simulations, despite increasing rates of testing/training (and our own assessments show an even higher failure rate).
The importance of layering security defenses
Since so many breaches begin with phishing emails and compromised end user devices, what is the answer? First, it’s important to note that, while you can’t train the problem away, end user security awareness training is one important line of defense. But it can’t be the only one. IT teams must focus on building a solid, defensive strategy that provides orchestrated layers of protection across people, process, policy, and product. The strategy should remove the ability for users to click the wrong link or open the wrong attachment in the first place.
Today’s systems are far too accessible–users have too much optionality in what they do, which applications they use, and what they can open. The goal should be for IT to have systems closed by default, then open applications and capabilities once they have vetted them for risk and properly secured them. For example, IT should choose one carefully selected browser and block all others; one file sharing application and block all others; and so on. This limits the universe of platforms to monitor. Employees also cannot click on a malicious attachment if security controls never allow it to get to them in the first place. Properly orchestrated security controls should filter out malicious content, reducing the possibility of human error.
Other steps organizations can take to remove user risk
Specific steps IT teams can take to reduce the risk of employee error include:
- Blocking access to personal email accounts
- Filtering HTTPS traffic with deep packet inspection
- Blocking internet access to non-user subnets/VLANs by default
- Requiring all user traffic to be inspected and filtered all the time–no matter the location of the endpoint
- Disallowing all but IT-approved filesharing systems and password vaults
- Enabling security features in tools like firewalls and endpoint detection and response (EDR) rather than assuming default settings will keep them secure.
Flip the script from user blame to IT empowerment
While it is true that threat actors heavily target employees, expecting these users to bear the security burden is a fruitless strategy. There are many defensive measures IT can take to create defensive layers across the organization to mitigate user risk and ensure malicious files, websites, and attachments don’t get to the employees in the first place. By having a “closed by default, open by exception” approach to applications and platforms and a layered strategy across people, process, policy, and product, the organization will have many lines of defense rather than expecting employees to be the main line against risk.
This article is intended for educational purposes only. Statements of fact and opinions expressed are solely of the writer and, unless expressly stated to the contrary, are not the opinion or position of Valley Bank. Valley Bank does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented.