As cybersecurity experts often like to say, humans are the weakest link in an organization’s security. Technology can only go so far in protecting data and other assets, but the end users can always undo the best of defenses.
“It’s a common thought that everything would be better if users were perfect,” Alex Stamos, at the time Facebook’s chief security officer, acknowledged in his Black Hat conference keynote speech in 2017.
Stamos added that it was not only dangerous to shift responsibility to users, but that users need safety nets.
“This modern world of technology is full of tight ropes and for the most part, we have not put any safety nets under those tight ropes,” he said.
While Stamos was addressing developers and white hats, this idea applies to companies. One of the best safety nets that organizations themselves can create is a user-awareness training program. Strong security takes a combination of technology, processes and people, and a security-awareness training program helps strengthen the people component of this strategy.
Successful security-awareness training programs have many elements in common. Here are some of the top ones.
A 2017 survey by global consulting firm Protivity found that high-performing security programs are distinguished by having a board that understands and is engaged with security risks. Protivity found that engagement and understanding has increased compared to 2015.
Part of the increased engagement may be due to the growing intensity of data-breach incidents and ransomware attacks like WannaCry. Every high-profile attack and news headline help increase the level of board and C-suite security awareness.
But without an understanding of how the human factor plays a role in security, organizations may be putting all their eggs in the technology basket — especially those organizations that are still building their awareness-training programs. Leaders need to understand (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Rodika Tollefson. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/2MFy2Rswu6Y/