Time to get tougher with staff to improve cyber security?

Every CISO knows that people are the weakest link in the organization’s security. How to strengthen their resolve so it won’t bend in the face of ever-increasing pressure from threat actors to is the problem — use honey or vinegar?

Both, says Anuj Goel, co-founder of news site Cyware Labs, in a column this week. “IT teams should adopt both persuasive and coercive measures to reduce the cyber risk associated with an individual user. Organizations must endeavor to link appraisal with cyber hygiene. It is imperative to motivate employees to align with the organization’s cybersecurity culture.”

Infosec and education pros are divided on this, although even those who think coercion is wrong agree the enterprise can’t take a hands-off approach. Some argue a “three strikes and your’re out” approach to failure in awareness training tests is appropriate. Others say failing tests has to be reported up the chain — the first failure is tolerated and the test is taken again, the second is reported to an immediate supervisor, the third to a manager and the fourth to HR.

Over the years I’ve interviewed a number of experts who lean towards the “honey” side, emphasizing that awareness training to be effective has to be regular (at least once a quarter, if not once a month), varied (posters, newsletter/email tips and a half-hour of classroom time), and relatable to the employee (the CFO nearly clicked on this link, here’s what might have happened).

But security awareness training is more art than science. The fact is that if 999 of 1,000 employees get the message and over five years never make a mistake, it isn’t enough if one person slips and clicks on a malicious link. That’s when technology might come in and save the day.

When I interviewed experts for a feature I did for CSO Digital last year on social engineering few most insisted management has to take a positive attitude to awareness training and not instill fear. On the other hand, the risks to the enterprise of a data breach are great, ranging from loss of corporate reputation to lawsuits to failure of the organization. Small wonder Goel writes that it’s time CISOs got tough. “Given the increase in the frequency, lethality, potency and intensity of these cyberattacks … IT teams should monitor every individual user profile and compile information into a cyber risk index. This index can calculate a score based on each user’s role, location, system entitlements, understanding of security practices, situational knowledge and red team performance. An employee’s system access levels should correspond to this score.”

This could raise serious privacy issues. How is a staffer’s “understanding of security practices, situational awareness and red team performance” to be evaluated? By regular tests? By a keylogger that captures every movement?

Another problem is even a poor performer has to have access to email, which these days is the most likely attack vector.

CISOs continue to wrestle with these issues, which only get worse as more people and devices access the network. There’s still a lot of learning to be done to find the right balance between persuasion and coercion.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now