With the right support, personnel can become a valuable cyber asset, capable of playing an active role in foiling attacks.
The cybersecurity industry often talks of defense in depth and establishing resilience through multiple complementary layers of cybersecurity. This approach is usually centered on technological solutions and polices, with the workforce being seen as a cybersecurity liability rather than a potential advantage. However, with the right support, personnel can become a valuable cyber asset, capable of playing an active role in foiling attacks. Well-prepared staff with strong cyber capabilities are less likely to be stung by people-centric attacks such as social engineering and will be more likely to respond quickly and efficiently when a crisis rears its head. Security strategies need to invest in this potential and treat their workforce as an asset by equipping all employees with the knowledge and skills they need to identify and respond to cyber threats. And just like any other form of business asset, there needs to be a meaningful process in place to measure the impact of this investment and make further strategic improvements. Most cyber attacks today begin by targeting users, with research finding that over 90 percent of data breaches involve phishing. Despite this, personnel are usually overlooked in cybersecurity strategies and the majority of investments go towards new security tools. When staff do get a look-in, the result is likely to be a tick-box approach that revolves around a series of cookie-cutter training courses. For the most part, security training tends to be fairly uninspiring. In-person, classroom-style sessions can often feel more like an endurance test, while at-home online courses are tick-box exercises to be rapidly clicked through and forgotten. More advanced “tabletop” style crisis exercises, usually reserved for key decision makers, can be more engaging, but still fall short of matching a genuine security incident and aren’t conducted regularly enough to be effective. Whatever the format, benchmarking capabilities or measuring progress in any meaningful way is a challenge. Tests generally take a multiple-choice approach, which is more likely to assess the participant’s memory (or luck) than their ability to act on security knowledge and practices.
