Chapter Three – The Human Factor
What Can Be Done About User Risk?
I’d like to welcome you back for chapter 3 in a series of presentations focusing on technology solutions that provide value, optimization, and outcomes for businesses and organizations of all sizes, servicing all vertical markets.
In episode 2 we talked about what leadership can do to help manage cyber risk within in an organization, in this episode we’re going to talk about what we can do to manage the risk with our users, or what I like to call the Human Factor.
You’ve heard the stats, but I’ll repeat it – over 90% of all breaches are because of a user opening an attachment or clicking a link. Investing a lot of time and money into security technology can make companies or organizations feel safe, but the major threat to organizations cyber security aren’t technological they’re human shortcomings.
So what can we do?
- Understand that technology solutions will never be able to keep pace with dynamic cyber threats – in other words technology is not a panacea.
- 2nd assume your company will experience a breach, take on the philosophy of its not if, it’s when, and train all employees, from executives to contractors in how to recognize suspicious activities and what to do when a breach occurs.
- 3rd invest in employee security awareness training, teach what the right behaviour should look like. This training should also include simulated phishing attacks. At Oxygen our service offering includes this type of training, but we don’t just sell the solution we run our own internal campaigns. As part of this training, we benchmark ourselves against our industry, for example in the IT Service sector, the benchmark is a 20% click rate, or 20% of the users are clicking on the attachment or link, simulating potential exposure. At Oxygen through training, we have gotten our click rate down to less then 5%. We look to do the same benchmarking for you, we need to understand how we’re performing. However, the most important part of this process is understanding where you have gaps, with which users, and then investing in more training to better prepare them, and further managing organizational risk.
So, the call to action – understand that buying technology will not solve all your problems but investing in training will go a long way to manage an organizations biggest threat vector, it’s users.
Thanks for watching, and if you have any questions on how to implement security awareness training within your environment, just reach out to the Team at Oxygen.