When it comes to security, people are your most valuable resource. Find out how to get your employees involved with security compliance without blaming mistakes. There are many IT security horror stories that the call comes from within the house. According to a Stanford/Tessian study, 88% of data breaches can be attributed to employee errors.
Chris Morales, chief Information Security Officer for Netenrich, says that it is probably wrong and unfair to view people as your weakest links.
“That’s false. Morales stated that people are your most valuable resource during a breakout session at ChannelCon 2022. The topic was Importance and Processes of People in Cybersecurity. Morales provided three methods to get people involved with security compliance, without blaming them. Let’s take a closer look at each one:
1. Take a look at behavior first
A successful security awareness training program and standardizing processes are key components of a successful process. However, it is important to assess the risks and discover why people are engaging in risky behavior. A remote task automation program and configuration management software can be very useful. It can also be a red alert for security teams.
Security experts used to identify potential risks and then cut them off. But Morales stated that rules don’t work. He said, “I don’t like rules.” “I got into cybersecurity because rules are boring.”
Morales suggests that you first understand why people use these tools, before you tell them why they should not. Make it easy for people to understand technical terms. Create a file transfer protocol for (FTP) that is within your security limits. “You can’t just tell someone not to do it. He said, “You don’t just go to somebody and say not to do it.”
What do you do if someone tells you they don’t have the right tools to do the job? Morales stated, “That’s the job.” “The answer is that you need to sit down and figure it out. You must come up with a better solution.
Security-first culture can help organizations improve their security posture. He said that most often, the answer is zero trust.
“It’s easy for me to see that and ask why you do that. Is there another way? He asked, “Can we turn that FTP off?” These are behaviors that you can collect before it becomes a problem.
2. Offer Situational Awareness Reports
Gather information about your organization to prevent the enemy from gaining similar information. This is the idea behind situational awareness. It was developed in World War I. Morales stated that the idea is to be proactive and say “Give me an overview of everything right now” on a regular basis.
To help executives and heads of departments better understand current threats, you can provide a situational awareness report. Let your finance team know if you receive a lot of email compromise attacks. But be careful not to overwhelm them with unfiltered data. You need to give people enough situational awareness to help them understand the information without becoming overwhelmed.
Morales stated that if someone is using Office 365 insecurely and they’re storing data in Office 365, I make them aware about the types of attacks being perpetrated against them. It’s always educating and informing. “Here’s what’s up against.”
3. Track Behaviors Rather Than Metrics
How can you tell if behavior modification is working? Morales stated that the ultimate outcome is to measure behavior outcomes and not user activity.
“I can look at someone and say, “This person has gone through a fair, secure, and reasonable process in the last three months.” He said that this is a positive. To track user behavior and identify risky and safe moves, create user identity profiles. “I want people to do a good job and not be criticized for it.”
Morales stated that security is moving away from compliance-based processes to understand human behavior and culture. As a security operations team, everything we do is behavior-based.
Access to cybersecurity intelligence that will keep your business safe. Learn more about the CompTIA ISAO
