Every CISO knows that people are the weakest link in the organization’s security. How to strengthen their resolve so it won’t bend in the face of ever-increasing pressure from threat actors to is the problem — use honey or vinegar?
Both, says Anuj Goel, co-founder of news site Cyware Labs, in a column this week. “IT teams should adopt both persuasive and coercive measures to reduce the cyber risk associated with an individual user. Organizations must endeavor to link appraisal with cyber hygiene. It is imperative to motivate employees to align with the organization’s cybersecurity culture.”
Infosec and education pros are divided on this, although even those who think coercion is wrong agree the enterprise can’t take a hands-off approach. Some argue a “three strikes and your’re out” approach to failure in awareness training tests is appropriate. Others say failing tests has to be reported up the chain — the first failure is tolerated and the test is taken again, the second is reported to an immediate supervisor, the third to a manager and the fourth to HR.
Over the years I’ve interviewed a number of experts who lean towards the “honey” side, emphasizing that awareness training to be effective has to be regular (at least once a quarter, if not once a month), varied (posters, newsletter/email tips and a half-hour of classroom time), and relatable to the employee (the CFO nearly clicked on this link, here’s what might have happened).
But security awareness training is more art than science. The fact is that if 999 of 1,000 employees get the message and over five years never make a mistake, it isn’t enough if one person slips and clicks on a malicious link. That’s when technology might come in and save the day.
When I interviewed experts for a feature I did for CSO Digital last year on social engineering few most insisted management has to take a positive attitude to awareness training and not instill fear. On the other hand, the risks to the enterprise of a data breach are great, ranging from loss of corporate reputation to lawsuits to failure of the organization. Small wonder Goel writes that it’s time CISOs got tough. “Given the increase in the frequency, lethality, potency and intensity of these cyberattacks … IT teams should monitor every individual user profile and compile information into a cyber risk index. This index can calculate a score based on each user’s role, location, system entitlements, understanding of security practices, situational knowledge and red team performance. An employee’s system access levels should correspond to this score.”
This could raise serious privacy issues. How is a staffer’s “understanding of security practices, situational awareness and red team performance” to be evaluated? By regular tests? By a keylogger that captures every movement?
Another problem is even a poor performer has to have access to email, which these days is the most likely attack vector.
CISOs continue to wrestle with these issues, which only get worse as more people and devices access the network. There’s still a lot of learning to be done to find the right balance between persuasion and coercion.