How to Avoid the Fate of Sony, Target or Home Depot in 2015
While it's obvious that your company's employees are a weak point for security, there are ways to reduce, if not eliminate, the problem, and that doesn't mean firing all of your employees (despite the occasional temptation). What it does mean, as Sjouwerman explained, is some basic, one-on-one security training that actually shows everyone in the company what a security threat looks like. He said that what this doesn't mean is the annual donuts-and-coffee, death-by-PowerPoint security lecture. Instead, it means that someone actually sits down with an IT representative where they get to see what actual phishing emails look like and where they learn that security threats could do things like draining their bank accounts. But it's the hands-on experience that matters, he said. This one-on-one security training should also be performed for every new employee during the on-boarding process, Sjouwerman said. Sjouwerman explained: "You can at least step through security-awareness training during on-boarding, then do periodic simulated phishing attacks." He said that such phishing simulations can use real phishing emails (of which there's no shortage) with the original malicious links replaced with some that will alert IT when someone clicks on it. By doing this, employees become aware of what a phishing attack looks like, which then helps them learn to avoid them in the future.While it's critical that all employees get initial, and then repeated, security training, such an initiative needs to start at the top. Cyber-criminals often target senior executives because they have the best access to the data they most want to steal. Like other people in business, cyber-criminals want to expend their efforts where it's most effective. "Cyber-crime has gone pro," Sjouwerman said. "These guys are in it for the cash, and time is money," he said. This means that they'll go where the pickings are easiest and that may also mean that they'll find some other company where the employees aren't well-trained. Then it'll be that company that's the next one in the headlines with a breach.
It's also worth noting that there needs to be management buy-in. Even though effective security training doesn't necessarily involve a lot of staff hours, it does involve some time and expense. "Boardrooms are going to have to realize that culture trumps compliance," Sjouwerman said. "This requires a security initiative that makes it clear what they really have to start paying attention to."