These days my email is full of press releases from IT vendors that claimed their products are the magic bullet that will prevent the next Sony data breach. But the reality is, there is no magic bullet.
But that doesn’t mean you can’t keep your company from being a victim of cyber-criminals—because you can. But there is no magic bullet. And it’s important to realize that some breaches may be all but impossible to stop, but those should be a small minority.
First, it’s important to know that while you can’t totally solve the data breach problem with technology, you should still keep using the available technology—including firewalls, email screening appliances, anti-malware and similar products—to keep things under control. They do help. By using the best of the available products, you can at least keep most of the bad stuff out of your network so you can focus on the rest.
Second, it’s important that you not buy into the dismissal of employee errors by calling them “stupid user tricks” and then throw up your hands in dismay. While nearly all major breaches were the result of an error made by a trusted employee or contractor, it’s wrong to suggest that they’re somehow stupid and therefore unpreventable.
“They’re just highly trained people in another field,” said KnowBe4 CEO Stu Sjouwerman. But it’s wrong to simply pass off these security problems as being the unavoidable problem of stupid users. “The stupid user might be a highly trained CFO,” Sjouwerman said.
His point is that many of the employees in your company aren’t trained in IT; they have little or no training in security and, as a result, wouldn’t necessarily recognize a security threat.
This is one reason Sjouwerman takes issue with statements, such as one by Denise Zheng, deputy director of the Center for Strategic and International Studies, who told CNN recently: “There is no patch for a stupid user.”
The fact is, there is a patch for users who make errors in how they respond to cyber-threats. It’s called training, and it doesn’t need to be difficult or expensive. It just needs to be continuous.
Sjouwerman’s advice is echoed by a number of security experts who point out that for any security plan to be effective, it has to involve the people who use the network. When I recently talked to Frank Abagnale about security exploits, he made the same point when he told me “someone in every breach did something they weren’t supposed to do.”
How to Avoid the Fate of Sony, Target or Home Depot in 2015
While it’s obvious that your company’s employees are a weak point for security, there are ways to reduce, if not eliminate, the problem, and that doesn’t mean firing all of your employees (despite the occasional temptation).
What it does mean, as Sjouwerman explained, is some basic, one-on-one security training that actually shows everyone in the company what a security threat looks like. He said that what this doesn’t mean is the annual donuts-and-coffee, death-by-PowerPoint security lecture.
Instead, it means that someone actually sits down with an IT representative where they get to see what actual phishing emails look like and where they learn that security threats could do things like draining their bank accounts. But it’s the hands-on experience that matters, he said. This one-on-one security training should also be performed for every new employee during the on-boarding process, Sjouwerman said.
Sjouwerman explained: “You can at least step through security-awareness training during on-boarding, then do periodic simulated phishing attacks.” He said that such phishing simulations can use real phishing emails (of which there’s no shortage) with the original malicious links replaced with some that will alert IT when someone clicks on it. By doing this, employees become aware of what a phishing attack looks like, which then helps them learn to avoid them in the future.
It’s also worth noting that there needs to be management buy-in. Even though effective security training doesn’t necessarily involve a lot of staff hours, it does involve some time and expense. “Boardrooms are going to have to realize that culture trumps compliance,” Sjouwerman said. “This requires a security initiative that makes it clear what they really have to start paying attention to.”
While it’s critical that all employees get initial, and then repeated, security training, such an initiative needs to start at the top. Cyber-criminals often target senior executives because they have the best access to the data they most want to steal. Like other people in business, cyber-criminals want to expend their efforts where it’s most effective.
“Cyber-crime has gone pro,” Sjouwerman said. “These guys are in it for the cash, and time is money,” he said. This means that they’ll go where the pickings are easiest and that may also mean that they’ll find some other company where the employees aren’t well-trained. Then it’ll be that company that’s the next one in the headlines with a breach.