Hope Is Not a Strategy in Enterprise Security

Wouldn’t it be great if IT and InfoSec teams could get their wish and there would be no humans touching vital systems or accessing sensitive data? Their risk management program would be airtight. But hoping that your team will always do the right thing, is not a strategy. The stakes are going up. The Ponemon Institute in the 2018 Global Cost of Data Breach Report, found that the average cost of a data breach was $3,86M or about $148 per compromised customer record. The number of data breaches has somewhat levelled off, but the severity of each data breach is increasing.

Technology alone isn’t the answer, human behaviour has the largest impact on the risk to the business. Planning, process and empathy should be incorporated into any robust Information Security Program, but in particular empathy where we design awareness training to accommodate a human being’s proclivity to make mistakes, to forget what they were taught, to anticipate real world scenarios they face in their work environment and empower them to make the right choices. Tugboat Logic’s Awareness Training has the guidance and pragmatic policy-based approach to training that can be implemented by any enterprise.

Empowerment in Awareness Training

Just like with any winning sports team, you need a solid playbook to guide your strategy and take action for maximum effect. The plan in security starts with the robust policies and implementation guidance to help familiarize employees with what is expected of them. Also, consider creating rewards for employees who do the right thing.

Some of the key threat vectors for data breach or cyber security attacks are directly in the employee’s control.

Employee Passwords

The conventional wisdom from experts is that passwords that uses phrases rather than numbers/letters/symbols are easier to remember and less prone to hacking attempts. Additionally, employees need to be encouraged and reminded to use multifactor authentication – ideally standardized by the company via a uniform Password Policy. Tugboat Logic provides a free trial to view some sample template policies. Whether you require a code sent to a mobile device such as Google Authenticator or a biometric method of authentication, your organization should be incorporating the importance of multifactor authentication as an easy-to-use security measure.

Employees Control Their Email

Email remains the number one risk vector for a cyber attack into an organization. Most training programs should incorporate an anti-phishing component. Google’s Anti-Phishing Quiz is a free and easy way to start aligning your team around the threat of phishing and social engineering attacks. Further, not every email can be encrypted. Employees sometimes need the gentle reminder that information sent unencrypted can be intercepted. Sending attachments that have sensitive information risks that data’s safety and should be sent in a password-protect zip folder (a low cost security solution). Security awareness training needs to empower employees so that they realize they can protect their interests as well as their clients’ interests.

Employees Control Their Internet Browsing

In 2019, the Internet is such that fake news and real news can sometimes be indistinguishable, employees know that when something looks sketchy, it is not work-appropriate and should not be engaged. The challenge is that phishing scams make websites look official, and often trick people to give up sensitive information or socially engineer to gain their trust and reveal corporate information.

Employees must also understand that they can check the email address hidden underneath a sender’s name. Also, remind employees that they have the power to see the links embedded in hyperlinks without clicking through to a corporate website. A Bank of America link within a seemingly legitimate email may lead to something that says or These small changes are the sign of hackers attempting to install malware on your systems.

Right Size Your Program

Whether you develop your own security awareness training program or use a service provider, first determine what business risks you’re trying to accommodate. The risk priorities of a Fortune 100 company are very different from a mid-enterprise online retailer. There are several factors to consider, including the regulatory obligations of your industry, nature of your business, maturity of your employees, distribution of team members etc. Often the most critical risk factor to account for is identifying the scope and extent to which your company gathers, processes and stores customer information.

PS: Want to turn your InfoSec program into a trust-building, money-making machine? Download The Future of Information Security and see how tomorrow’s category leaders are going to turn security into a competitive advantage.