Human Readiness – Now More Than Ever
Insights from Security Leaders at RSA 2020
RSA 2020 was focused on the Human Element. The conference announced that: “With all the new technologies, strategies and artificial intelligence being employed by both security pros and threat actors, one thing remains constant: us”.
RSA also published its goal “to help the industry mature while preparing individuals to grow into their roles as defenders of the world. When we recognize that cybersecurity is, fundamentally, about protecting people, the world becomes a better, more secure place”.
At CybeReady we’ve always believed that human readiness is key in building organizational resilience. I was very inspired to attend RSA’s panel “Preparing and Responding to a Breach” and listen to security leaders from Starbucks, Microsoft, WhiteHat Security and SecurityScorecard, who discussed lessons learned from last year’s breaches and the role employees play in defending today’s enterprises.
Readiness at All Levels
Moderator John Yeoh, Head of Research for the Cloud Security AllianceLast said there were 5,283 security breaches in 2019 and collectively, organizations lost 7.9 billion records.
All panelists agreed that employee training should become part of the corporate culture and be an ongoing effort. New people join and leave, so training should create continuity to avoid gaps in cybersecurity knowledge.
Panelists shared different employee and customer training strategies, CBT exercises, and other efforts they’ve invested in, hoping to prepare employees for any type of attack. “I have to take cybersecurity training at Microsoft just like everybody else,” said Microsoft’s cybersecurity field CTO Diana Kelley. “We don’t just assume because somebody has a title, they get to be exempt from that training.” She also advised to add an engaging element to the training experience: “Psychologically, humans are much better at learning when we’ve got a little bit of an adrenaline pump.” If an employee is caught getting phished, they may remember to be more cautious next time.
Phishing is Here to Stay
SecurityScorecard CISO Paul Gigliardi said he is most worried about how attackers use the data they steal. “It’s not just the fact a breach occurred; it’s that all of our company’s data is somehow in there.”
“The reason you keep hearing about phishing from speakers like us … it’s not because we want to bore you with repetition,” said Kelley. “It’s because phishing still works.” Application vulnerabilities, misconfiguration, and phishing are the three areas where attackers are having the greatest success, which is why they should be prioritized.
Per Starbucks global CISO Andy Kirkland, Credential reuse is a primary concern in the retail and hospitality industries. “Whenever these credentials become available, we become a place where people want to see if they work,” he said. The sharing of usernames and passwords across multiple platforms is “a big thing to watch” for companies.
Practice Makes Perfect
Panelists spoke to employee and customer training strategies, tabletop exercises, and other steps they take to better prepare for security incidents. One key takeaway was the importance of working employee training into the corporate culture for everyone. As organizations change over time, and new people are onboarded, there will be gaps in cybersecurity knowledge.
“I have to take cybersecurity training at Microsoft just like everybody else,” said Kelley. “We don’t just assume because somebody has a title, they get to be exempt from that training.” She advised annual or biannual security training for all employees. “Psychologically, humans are much better at learning when we’ve got a little bit of an adrenaline pump.” If an employee is caught getting phished, they may remember to be more cautious next time.
“The best training is in-the-moment training,” Kirkland emphasized. “While some training is done for compliance, the unexpected phishing emails deliver real learning moments”.
Key insights from this panel have clearly shown a shift in approach across all industries. Security leaders no longer settle for compliance-centric training, or annual training events. In order to change employee behavior, corporations need to build strong, positive cultures that leverage employees’ readiness from any department and level for the critical role of keeping the organization safe. Only continuous training that involves all employees year-round, trains them in real-time and offers an adaptive & engaging methodology can change employee behavior towards cyber attacks and build sustainable resilience.
For more information on CybeReady’s Autonomous training platform visit: www.cybeready.com