The KnowBe4 security awareness blog published an excellent summary just at the end of 2017.
Based on researches done by Harvard Business Review, TechRepublic, and Ponemon Institute, “employee training is the third-most-effective method of decreasing the per capita cost of a breach.” It is preceded by two factors only—extensive use of encryption and the setting up of an assigned incident response team before, rather than after, a problem has taken place.
Stu Sjouwerman lists the departments that are most likely to expose an organization:
- IT and Development
- The C-suite
A further study was published this week on Bitdefender, RSA’s best corporate security blog in 2017. The research conveys that:
“…nearly two thirds (65 percent) of CISOs are losing sleep at night about information security threats, but their direct C-Suite colleagues are the biggest culprits when it comes to bending the rules. What’s clear is that the modern-day CISO, CSO and CIO need to be far tougher at conveying the real life repercussions of poor information security practices, from the board level downwards.”
What can you do about it?
The best defense is a good offense.
- Assess the potential impacts of a cybersecurity attack or breach on your organization as you would for any other major risk. The days of token fines are fast becoming a memory as regulators gain more power.
- Put an education program in place. Employees should know what their responsibilities are, how to recognize a potential problem, and where to report it so that it can be investigated and followed up.
- Put an information security management system in place so that your organization has coordinated preventive measures and a clear set of plans with selected employees or agents. These agents should be trained to deal with and accountable for information security situations.