Intelligent CISO Issue 21 | Page 30

editor’s question disclosed vulnerabilities had been patched with a new required update, many companies around the world still hadn’t updated their systems. Several cases followed – with non-IT personnel being the weakest link. For example, employees with local administrator rights who had disabled security solutions on their computers, which then allowed the ransomware to spread from their computer through the entire corporate network. RIAAN BADENHORST, GM OF KASPERSKY IN AFRICA A gainst the backdrop of a complex and growing cyberthreat landscape, where many businesses are concerned about their IT security being compromised, many are now also waking up to the fact that one of the largest gaps in their cyber strategies is their own employees. In fact, past Kaspersky research shows that 52% of businesses admit that employees are their biggest weakness in IT security – where careless actions put the business and its IT security strategy at risk. Furthermore, more than 80% of all cyber-incidents are caused by human error. During the global WannaCry ransomware epidemic, the human factor played a major role in making businesses worldwide vulnerable. In fact, so much so, that even two months after the 30 In this digital world, human error is an increasing cyber-risk for companies that needs far more proactive action. So, what should businesses do? The first step is to examine how to minimise, and better manage, the potential human error of the business’ cybersecurity strategy, which means looking at ways in which to transform employees into what we call a ‘human firewall’. The concept of the ‘human firewall’ looks at equipping employees/ staff with the skills to operate in the digital world of the organisation, while still being threat intelligent enough to mitigate risks and minimise human errors, which have previously set many businesses back. Achieving this necessitates the business to invest in the right security awareness and training solutions. However, these training mechanisms must go far beyond the basic IT security training many companies follow today – and rather focus on offering strategic guidance that is easily digestible, practical and, importantly, memorable. An employee’s ability to lessen human error or act appropriately if a business is facing a cyberthreat or attack, will only be as effective as the training they receive. To undertake ‘human firewall’ training the following areas must be considered: • Building strong cyber-hygiene skills through micro learning and reinforcement: This involves engaging employees in the education process around cybersecurity, with the aim to increase their personal cyber awareness. • Agile fit: Enterprise-level scalability – a business must recognise that every employee will be at a different cyber awareness level and will be required to understand cybersecurity differently based on their role within the business. Therefore, cybersecurity training must adapt to meet the training needs of all employees, and at any level, to ensure everyone can learn within their own parameters, so that the full business is armed and prepared accordingly. It is important to note that dedicated training of this nature is not about lecturing staff on cybersecurity obligations or business policy rules. Rather, it is about making effective learning open to businesses of any size, ensuring the company can balance security competence levels throughout the business for different groups of employees – all to support the employee learning process to ensure that they themselves are invested in cybersecurity measures. Achieving this takes time but ultimately will support a business in building a stronger cybersecurity defence – one that exceeds relying purely on solutions- based protection. Certainly, it is this type of approach that aids in making staff a business’ biggest security asset, instead of an insider threat. u In this digital world, human error is an increasing cyber- risk for companies that needs far more proactive action. Issue 21 | www.intelligentciso.com