By Gabe Gambill, VP of Product, Technical Operations, Quorum
Here’s what people get right about security breaches: They’re rampant, cleverly executed and destructive. IT leaders know that cyber criminals are skilled enough to steal their companies’ sensitive data and tarnish their brand reputations.
Now here’s what people get wrong about security breaches: That safety lies in network security and a fortress of monitoring and detection tools.
Don’t get me wrong — prevention tools are useful and needed, but more spending doesn’t equal better security. An intelligent security program involves both technology and people. The uncomfortable fact is that your customers’ greatest threat isn’t always outside the company; sometimes it’s their own workforce that brings about a security disaster through human error, gullibility or simple lack of training. A recent CompTIA report shows the primary cause of breaches is typically human error (58 percent) versus technology error (42 percent).
Workers are busy and distracted. As they’re multi-tasking, they can easily click on a suspicious link, fall for a phishing email or download an unapproved app. And in that one mistake, an entire organization can plunge into a ransomware nightmare or CEO fraud that costs millions. This doesn’t mean employees are gullible — it means that criminals are sophisticated. Spoofed email addresses can persuasively imitate a real leader’s. Requests for information can indicate a level of inside knowledge about the company. The only way to fortify against this kind of mistake is a good training program. And, these programs are an excellent managed security services offering for partners.
Another factor increasing the odds of employee mistakes: complexity. For each customer, ask: How high is your tech stack? How many different solutions do employees need to master, and how do those solutions impact one another? How many security policies and controls are in place?
A few instructions here and there usually won’t cut it. Let’s say a company has a strict wire transfer policy requiring multiple authorizations, mandatory delays and a carefully designated multi-step process, all aimed at stopping fraudulent requests for financial transfers, which are increasing. Those are wise strategies, but if a new executive assistant receives a fake request from a CFO and isn’t trained on those policies, the transfer could go through anyhow.
The amount of training investments is a measure of security strength. So here are 10 ways …