Chris Kuhl, CISO/CTO, Dayton Children's Hospital
Is your greatest cybersecurity asset that shiny new tool your organization just purchased? What about the integration between tool A & tool B into a unified dashboard? This is the great conundrum for cybersecurity teams, and I would like to convince you, that your greatest cybersecurity asset is your users.
According to Gartner, an IT research and advisory company, the worldwide cybersecurity market spending is forecasted to reach $170.4 billion in by 2022. Yet, in 2020, organizations still suffered from a global loss of $945 billion. I believe it is safe to say that we need a more comprehensive cyber strategy, that includes addressing the human risk along with the technology risk.
According to the 2021 Verizon Data Breach Investigations Report (DBIR), over 85% of all breaches involved human interaction. Human interaction includes phishing attacks, human error, misuse of privileges or having easily guessed passwords. To focus in even more, phishing and passwords are the top two risks to any organization for a third year in a row. Luckily, you can address all these topics with a security awareness program.
Creating a comprehensive security awareness program isn’t difficult. It takes the three most challenging resources to acquire: time, leadership support, and an understanding of your organization’s culture.
The first thing we need to do is replace the old mantra “users are the weakest link in your cyber defense” with “people are the primary attack vector.” In healthcare, we are talking about people with advanced degrees, years of experience in their respective fields and valuable insight. None of which is geared towards cybersecurity.
Secondly, we need to survey our users to gain a better understanding of the cybersecurity culture in our organizations. Once you understand the current culture around cybersecurity, you can begin to develop the four focus areas for your awareness program.
Two important categories were mentioned above, phishing and passwords. Easy ways to identify/report a phishing email and the use of passphrases instead of passwords should be included in your security training. That just leaves two additional categories unique to your organization. If you have a lot of remote workers, you might want to cover how to work remote safely and securely. If you are doing manufacturing, you may want to cover what to look for with physical security and tailgating into the controlled rooms.
The importance of cybersecurity awareness training has become more front and center in the last 20 months. Traditional network perimeters are dissolving from a combination of cloud platforms, smart devices and employees working from home more. Protecting the user’s identity and PC become that much more important.
Our main goal, as cybersecurity professionals, is to secure our organization. To quote Gabe Bassett, one of the authors of the DBIR, “Your job is not to secure your computers but your organization. And if you’re not securing your people, you’re not securing your organization.”