April 26, 2019
CISOs are constantly assaulted with the news of a new data security breach or blunder. It comes as no surprise that CISOs are not only overwhelmed but also somewhat perplexed about what the primary problem is.
Before CISOs and CIOs jump into implementing the latest security standards of the NIST cybersecurity framework or the FFIEC cybersecurity assessment tool, perhaps it would be worthwhile to review the data security facts regarding breaches over the last twelve months?
A recent report by Osterman Research stated that 37% of respondents rated phishing emails infecting one or more endpoints in the network as their greatest security incident. Following close behind at 28& was the accidental leaking of sensitive or confidential information via email by internal or external users. The results shown below as well as the other top five reported incidents decidedly point to organizations internal and external users being the weak link in the cyber security chain. Whether the target is cardholder data, service provider information, PII ( personally identifiable information) or the organizations IP (intellectual property), the avenue of access is clear based on these results.
Unfortunately for all Information security Officers, employees and external users are the one resource that we cannot do without. And although users will continue to be the biggest vulnerability, there are proactive steps that can be taken to mitigate if not almost eliminate this weakness. The following chart demonstrates that employee training is still significantly lagging given the direct effect it would have on the organization’s security posture.
By employing proactive and reoccurring education that trains users on cybersecurity issues like phishing, web surfing, social media engagement and spearphishing the security office can reduce this vulnerability to manageable dimensions. Education combined with email management applications to monitor and advise users as well as applications that discover, classify and protect your structured and unstructured sensitive data on premise and in the cloud, CISOs can employ a cost and breach effective solution.