Building Your Cybersecurity Foundation – The Human Layer

By Barry Semple, Director of Technology

Many layers of security are needed to build a solid IT foundation for your organization. In our last blog post, we discussed the Physical Layer — essentially, the physical access to your data. Today we will be looking at the Human layer.

With access to our Cybersecurity Brickhouse secured from both physical and electronic perspectives, in this final chapter we will cover the most critical aspect of security. It is well known to be one of the weakest point of defense and responsible for around 24% of all cybersecurity compromises – the Human Layer! (Yes. that means you.)

Us humans really are the cornerstone of everything in cybersecurity. It is possible to spend thousands of dollars building and securing your Brick House, but with one wrong configuration change, opening of a bad email, or clicking on a malicious website, it can all come tumbling down. The answer to this human/security problem is simple and proven to be very effective: simply provide all team members with cybersecurity training on a regular basis and be sure to include training in onboarding routines for new staff.

There are many forms of cybersecurity training available, of differing levels of quality, content, and effectiveness. The following key points will help to select the best possible training to educate your team and solidify that last layer of your strong cybersecurity foundation.

Engaging – Selecting a cybersecurity training system that engages students is key to the retention of new knowledge learned. Look for training that is diverse in content, including interactive training modules, videos, assessments, posters and infographics.

Regularly Updated – The cybersecurity domain is a moving target. Having a training system which regularly adds new and relevant content ensures that the subject matter stays current, keeping students engaged.

Industry and Country Specific – Make sure the cybersecurity training content is geared to your industry as there may be specific information required for compliance or regulations, Also make sure the training is specific to the country in which you do business.

Phishing Testing – Over 90% of cyber attacks begin with phishing emails. For this reason, it is critical to have cybersecurity training that includes phishing testing. Having fake phishing emails delivered to all members of your team and recording the results provides real-life learning opportunities and a picture of just how security-aware your team is.

Progress Reporting – keeping track of your team’s progress through a cybersecurity training program is important to ensure it is being completed and understood. Having automated reports delivered regularly will enable management to keep the team members on target for training completion within the required timeframe.

There is one other area of cybersecurity training that can be overlooked and that is systems administration training. Remember that even if you have spent considerable time and money checking that all systems are configured correctly and securely, a team member with administration access could make a mistake or a change to any system that has the potential to negatively impact your organization’s security. Only through full understanding of the system being worked on (a software application, a network appliance or an application server) can the administrator be sure to make the right configuration changes as required.

By taking these steps, you are ensuring that the humans on your team, often an organization’s weakest security link, are contributing to your Cybersecurity Brick House.

Read more in this Series: