When you look at the nature of cybersecurity and the evolving threats out there, there are essentially two “doors” that malicious actors will use to gain entry to your environment and data.
Door one is your technology. Cyberattackers exploit vulnerabilities in your technology infrastructure and security tools to either sneak through surreptitiously or blow open an entryway. As cybersecurity technology evolves to meet the growing sophistication of attacks — such as zero-trust models and passwordless technologies — this door may become more heavily fortified.
Door two is your people. These attacks focus on exploiting vulnerabilities in human behavior that might turn your employees into unwitting co-conspirators in an attack. Phishing is the most obvious example, but there are other ways a security breach can occur due to poor choices or lapses in judgment. This door will likely always have to be fortified with ongoing training and education.
To prepare your employees for today’s most prevalent and dangerous threats, you have to address both doors. As importantly, each area will require a multilayered approach that covers all the bases in a rapidly changing cybersecurity landscape.
Door One: Strengthen Your Technology
The foundational pillars of any cybersecurity program with a good security posture are multifactor authentication (MFA) with the right access and identity management (IAM) controls. MFA is a particularly critical area in establishing fortress-like security.
Unfortunately, far too many organizations don’t take this extra step. For example, Microsoft (Avanade’s parent company) recently reported that only 10% of users use MFA per month in their enterprise accounts, including on-premise and third-party MFA. Successful attacks on Microsoft user accounts with MFA enabled are extremely rare (so rare, in fact, that they don’t even have statistics about them). Microsoft believes that this low rate of adoption of MFA technology has kept attackers from evolving and building MFA-intercepting tools. Requiring users to enable MFA protections is one step you can take that can substantially increase security.
Information protection tools are another layer vital to any cybersecurity program. Technologies such as information rights management (IRM) solutions or Microsoft Information Protection are essential walls that can protect documents, emails and sensitive data from attackers.
Of course, we’ve all heard “trust but verify” as a mandate for technical controls. But, in today’s hyper-aggressive environment, more and more technologies are moving toward a zero-trust model. Instead of “trusting” someone with a random account that they are who they say they are with few checkpoints, more stringent technologies are focusing on definitively tying the account to a verified corporate identity. To a certain extent, passwordless biometric technologies also fall into this bucket. These technologies help to ensure that only truly authorized users are able to access your information.
Door Two: Train Your Employees To Be Cybersecurity Champions
I get asked this question a lot: “What’s the No. 1 risk to businesses today?” My answer is always the same: people and their behaviors.
The key to addressing the cybersecurity risks inherent with employee behavior is having a comprehensive and consistent training and education program focused on preventing employees from giving away the “keys to the kingdom” by falling prey to phishing, IAM mistakes and other behaviors that can put your company’s data and security at risk.
For some companies, such a program requires a change management approach that helps them understand what good looks like and what bad looks like, backed by ongoing education. Role-based training for individuals who are in either delivery or higher-risk roles across the company is one tactic that can help educate employees about the risks they specifically face, requiring internal certifications to a certain level of security awareness and education, depending on their role.
So, what does a cybersecurity program look like for your company? How do you get started with that?
• Understand your unique needs, strengths and weaknesses. You need to have input to build your program and focus your efforts. You can get this input through security behavior surveys or any other security metrics you may have. This valuable data can help you understand where you need to grow and build the program’s short- and long-term goals.
• Create a culture of shared responsibility. This objective should be part of the goals of your employee cybersecurity program. The general idea is to develop an employee culture committed to protecting your company, clients, work, data and assets. Shared responsibility means the onus isn’t just on the company to protect against cyberattacks; it’s also on each employee.
• Educate continuously. It’s vital to make good security behavior understandable and consumable. Make participation creative and fun, not tedious. Look at your efforts as an internal marketing campaign. Activities must be compelling and creative. Security quizzes or apps, mock phishing campaigns, incentive programs and ways to introduce a little friendly competition will motivate and engage your employees to be the best cybersecurity champions in their departments.
• Integrate cybersecurity training with onboarding. At my company, our New Joiner program includes security behavior training, helping employees build secure behaviors from day one. In addition, we have 30-, 60- and 90-day check-ins to reinforce training and behavior further.
Be sure to address both doors — technology and employee behavior — that malicious actors use to enter to access your company’s sensitive data. And remember, there isn’t just one answer or magic bullet to cybersecurity success, so multiple layers of effort are needed. This two-pronged, multilayered approach can help your company thwart attacks and safeguard your data in today’s dangerous cyber world.