In 2007, Michael Levin retired from the United States Department of Homeland Security after a distinguished thirty-year career in law enforcement. Michael served at the Department of Homeland Security as the Deputy Director of the National Cyber Security Division. Michael previously served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC. Michael was a member of the Secret Service Electronic Crimes Special Agent program and worked around computer forensics and cybercrime investigations for over fifteen years. After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness. The CFISA (cfisa.org) brought together a group of leading academics, security and fraud experts to explore ways to increase security awareness among many audiences, including consumers, employees, businesses and law enforcement.
Executives are slowly but surely recognizing the ramifications of providing the wrong answer when asked the questions: “Prior to the breach, did we train our employees in the acceptable use of company assets? Did we train them about what they could and could not do?”
Do you work for a company that requires employees to sign an annual “acceptable use” policy statement? Many companies fail to provide the training and/or to enforce the policies associated with one of the largest vulnerabilities of a business.
While working for the US Secret Service in 1991, I was one of the primary investigators involved with a major cyber breach of a large corporation. Secret Service and FBI investigators were sitting in a large corporate conference room with the president, CEO, CISO, and a group of corporate attorneys. On the phone was a host of IT managers and others.
One of the IT managers responsible for the server that was breached insisted that this incident was a “major brute force hack.” It didn’t take long, however, for the law enforcement investigators in the room to discover that the admin default passwords left on the server were actually the cause of the hack.
Fast forward 26 years to the Equifax hack, and we have very similar issues, with best practices not being followed, trained, and enforced!
As an executive, do you still have the attitude, “My employees should just be focused on their jobs and performing their tasks, not taking security awareness training or learning about the latest risks”?
A recent F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” shows that CISOs aren’t fully taking advantage of the power of security awareness training. Let me outline a few relevant findings:
This report makes it clear that most security executives don’t realize that just one serious security incident or data breach could destroy the growth and profitability of their companies. It’s more important than ever that every company incorporate enterprise-wide IT security strategy with their mission and goals.
We hear a lot about the “human firewall” and other concepts that imply we can somehow just patch our employees into fixing this problem. Throwing policies and procedures at the problem will not eliminate our growing vulnerability.
Frequently, IT managers convince C-suite executives to spend the IT budget on hardware and software security solutions. They totally ignore the fact that many employees are clicking on every email, link, and attachment they receive. Not training your employees on what they can and cannot do is no longer an option for any enterprise.
I have been training employees for over 10 years in security awareness best practices. I have spoken with thousands of employees, and a few things are clear:
Security awareness training is not overly complicated. It just needs to ensure that all three of these concerns are integrated into the training to achieve employee buy-in and participation.
We can no longer use the excuse, “We don’t have budget, time, or resources to train our employees.” All executives who are responsible for the success of your organization must recognize the need for all employees to participate in the safety and security of the business.
Security awareness training that achieves employee buy-in and participation will dramatically reduce business vulnerabilities, and the return on investment will far exceed all other IT expenditures.
Security awareness training has become a required part of security best practices that must be implemented on a recurring basis.
Making the decision to hire an external service to conduct necessary security training is an easy solution to ensure your employees do not put your business and assets at risk.
To read more from Michael Levin, please visit The Center for Information Security Awareness blog at cfisa.org/security-blog.html.
MODIFIED: Dec 26, 2017