In this CIO Straight talk Tweet chat, a panel of global security experts ponder upon the human element of cybersecurity and discuss the importance of sensitizing and empowering employees as the first line of defense.
Our agenda is to discuss how organizations are vulnerable to attack, no matter the amount of money spent defending the enterprise. This is called the ‘Cyber Paradox’. #STinsights #Cybersecurity #CyberAttacks #Tweetchat pic.twitter.com/nms3D7L9gH— CIO Straight Talk (@CIOStraightTalk) August 23, 2018
Our esteemed security leaders are ready to dive into the discussion...
We start with analyzing the role of the human element and its business vulnerability.
Empower every employee with cybersecurity education and awareness.
A1: It's the classic "people, process, technology" answer and having #cybersecurity solutions that can adapt and evolve to the "human factor" is the only way to increase overall resiliency. #STInsights #TweetChat— mike d. kail (@mdkail) August 23, 2018
#Cybersecurity is not just about #technology but also about people using them, their behaviors leading to exploitation. It is evident from #noPetaya & #Wannacry that #humanfactors play a major role in making business vulnerable. #STinsights @reach2ratan @CIOStraightTalk— Ratan Jyoti (@reach2ratan) August 23, 2018
Human error + social engineering schemes are still the leading cause of data & security breaches. Even with the best cybersecurity hygiene, & the lowest attack surface, the human factor is the biggest challenge when building an effective threat prevention strategy. #STinsights— Ryan Fay (@ryancfay) August 23, 2018
With phishing attacks being one of the most prevalent types of events today, teaching employees to look for basic clues in emails and fake websites can be massively valuable. @CIOStraightTalk #STinsights— Jonathan Reichental (@Reichental) August 23, 2018
#STinsights A1. The human factor is easily the most important part. Humans are often the weakest link, yet we humans are essential to the process.— Eric Vanderburg (@evanderburg) August 23, 2018
true and a real issue as lack of social media skills common and thus protections in addition furthermore people don't wish to expose their lack of social media skills as seen as a modern day weakness— Thomas Power (@thomaspower) August 24, 2018
The panel highlights the top ways humans negate the efficacy of cybersecurity investments.
More human awareness to manage digital risks thus mitigating human ignorance.
A2: "Layer 8" (people) is the most likely to be the easiest #cybersecurity attack vector despite a healthy level of technology investment. That's why continuous awareness training is paramount. #STinsights #TweetChat @CIOStraightTalk— mike d. kail (@mdkail) August 23, 2018
Negligent employees, accidental mistakes and malicious insiders can all be detrimental to the effectiveness of cybersecurity investments. Also inability of IT Security team to manage digital risk can significantly impact. @CIOStraightTalk #STinsights @seqrite— Sanjay Katkar (@sanjaykatkar) August 23, 2018
A2: The threat of malicious insider in the #cybersecurity is very real. The other factors that can negate the effectiveness of cybersecurity investments are— Ratan Jyoti (@reach2ratan) August 23, 2018
2. Lack of awareness
3. Human ignorance
#STinsights @reach2ratan @CIOStraightTalk
For example, a hacker makes a call to an employee and pretends to be the IT Help Desk. The "fake" IT Help Desk person says that a password reset is necessary on one of their accounts for some reason and asks the employee for their password. @CIOStraightTalk #STinsights— Jonathan Reichental (@Reichental) August 23, 2018
A2: Overtraining / training people on the wrong things – focus directed to wrong areas, and important elements of security program do not receive adequate attention...#STInsights #CIOStraightTalk #CyberSecurity #InfoSec #ThursdayThoughts— Joseph Steinberg (@JosephSteinberg) August 23, 2018
#STinsights A2. Here are 3 ways humans negate cybersecurity: 1) Humans introduce workarounds to otherwise secure processes; 2) humans can be duped by social engineering; and 3) humans make mistakes.— Eric Vanderburg (@evanderburg) August 23, 2018
Overcoming challenges with strategy implementation.
Every employee has to own cyber risk management...
A3:Managing Cyber risk should not be limited to IT setup alone but to entire organization and thus there should be— Ratan Jyoti (@reach2ratan) August 23, 2018
1. Clear and defined Role and responsibility
2. Defined and tested #Incidentresponse
3. #Cybersecurity awareness
#STinsights @reach2ratan @CIOStraightTalk
A combination of proper policies and awareness training goes a long way in mitigating this risk. Some of the strategies include— Sanjay Katkar (@sanjaykatkar) August 23, 2018
b.Implementing access control
c.Monitoring file activity
d. Data Loss Prevention (DLP) & Data back up @CIOStraightTalk #STinsight
These 4 steps are cost-effective and easy to implement – 1) Classification of data as per sensitivity. 2) Access to data based on seniority. 3) Only save non-sensitive data on shared servers. 4) Allow mobile devices access to areas that contain only non-sensitive data.— Rajesh Thakur (@TweetsByRajeshT) August 23, 2018
Reduce risk by taking as much away from employee as practical. For example, superior intrusion detection systems (IDS), attachment stripping, traffic monitoring, pattern analysis, data leak prevention (DLP), and data access mgt (DAM). @CIOStraightTalk #STinsights— Jonathan Reichental (@Reichental) August 23, 2018
#STinsights A3. Start with these 3 strategies for employee-related cyber risk: 1) policies, 2) regular training, 3) testing/validation through things like internal phishing campaigns pic.twitter.com/JCbKABDySS— Eric Vanderburg (@evanderburg) August 23, 2018
Your cybersecurity framework checklist for compliance.
Flexible and adaptive cybersecurity frameworks can enhance the RoI.
1/ Make it personal: Adapt training in relateable terms (e.g. Protect Bank Accts, Protect kids at home). It sticks.— Sanjay Kanvinde (@sanjaykanvinde) August 25, 2018
2/ Competition: Publish metrics across divisions/countries -- no one wants to look bad. (e.g. Phishing rates).
3/ 3-strikes and out: Make rules clear & enforce.
A4: The framework needs to be adaptive and "elastic" to the ever changing requirements of employees and the business. Rigid, draconian policies will result in employees looking for ways to subvert them. #STinsights #CyberSecurity @CIOStraightTalk— mike d. kail (@mdkail) August 23, 2018
Establish metrics, there are core and then organizational specific. #STinsights— Jonathan Reichental (@Reichental) August 23, 2018
A very easy non-intrusive but effective CyberSecurity solution + Policy + Practice framework that is not overbearing on the Employee base along with the ease of referencible artifacts that can be referred / consulted easily. #STinsights https://t.co/uo0KqnD0Fa— Renju Varghese (@renjuv) August 23, 2018
And to our final official question...
Managing the human elements and cybersecurity metrics, to be a C-suite priority.
100% accurate Mike "#AI won't be a panacea" keep being you your tweets are superb— Thomas Power (@thomaspower) August 24, 2018
The essential part of reducing cybersecurity vulnerabilities is identification. That’s why organisations must undertake regular security-testing to identify and close possible loopholes. #STinsights— Rajesh Thakur (@TweetsByRajeshT) August 23, 2018
A5: When it comes to #cybersecurity, our prime objective should be to manage things proactively rather than reactively and for that Organisation should know where there key information lies.— Ratan Jyoti (@reach2ratan) August 23, 2018
#STinsights @reach2ratan @CIOStraightTalk
"Organisation should know where there key information lies" the problem word here is "should" they don't and they can't find out easily either thus containing the issue has become close to impossible thus another path (approach) is required— Thomas Power (@thomaspower) August 24, 2018
Conduct a thorough risk assessment and adopt a multi-layered security strategy to strengthen your cybersecurity. Invest into cyber security education and awareness among employee on continuous basis.— Sanjay Katkar (@sanjaykatkar) August 23, 2018
But wait! There’s the bonus question…
2020 is almost upon us and the technological possibilities are endless.
Thanks to all our panelists for another stimulating session.
A big thank you to all the panelists and those who joined us for this #Tweetchat today. A round of applause for our special guest for the discussion .@KRL814 Check our Moments section for the highlights @CIOStraightTalk #STinsights pic.twitter.com/GIsOrZMzHh— CIO Straight Talk (@CIOStraightTalk) August 23, 2018