According to the most recent cybersecurity study from SolarWinds, conducted in the DACH region, 80% of respondents cited internal user mistakes as the main source of cybersecurity threat incidents. At the same time, only 55% are extremely or moderately concerned with internal users putting their organizations at risk. According to my math, that represents a 25% gap in perceived danger and implied concern. Why is concern over internal risks so low if the cited risk is so high?
We know from many studies that attacks like phishing, spear phishing, whale phishing, drive-by malware, and Trojan horses require a user to browse, click, or otherwise allow or trigger the attack. These are hard to protect against because of the human component. Properly protected and managed devices will rarely be able to be attacked from the outside. They require a little help from the human on the other side of the keyboard.
As IT admins and techs, we are great at implementing tools to firewall, scan, and patch for threats. In addition, the computers do what we tell them to. If we tell them not to go to website A, they listen.
Humans are just not wired the same way, unfortunately. Therefore, we must use different tactics to prevent the most likely threat to our cybersecurity, “PEBKAC”. The joke is old; “Problem Exists Between Keyboard and Chair” is a favorite among techs worldwide. What can we do to educate our masses to not compromise our carefully engineered environments?
- Get buy-in from management. This is sometimes harder than it sounds, but you need financial as well as personal buy-in from the leadership or you will be swimming upstream in your efforts.
- Create a plan. Every good security initiative starts with a plan.
- Communicate the plan so everyone knows what to expect and that you have leadership support.
- Educate team members on safe cybersecurity practices — both in the office and at home. With many employees working from home, security at home is equally important.
- Test them. Perform regular simulated phishing attacks and other appropriate tests to identify gaps in practice.
- Educate employees more regularly so they maintain a good level of awareness. This also gives you an avenue to communicate and train on new threats as (or before) they arise.
- Reward employees for maintaining a 0-threat count, and for alerting the IT team to potential threats like phishing emails.
The most complex component of your environment, the end user, is also your greatest risk. Lowering your risk must include a strategy for engaging and incentivizing appropriate behavior of your end users. Computers are easy—protecting them from their humans is hard.
Eric Anthony is principal for customer experience at SolarWinds MSP. Read more SolarWinds MSP guest blogs here.