The Most Cost-Effective Cyber-Security Initiative You Can Employ

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://finance.yahoo.com/news/most-cost-effective-cyber-security-234500004.html

By now, many companies are having their departments wade through a litany
of strategy meetings to determine next year’s budget. CIOs and their
directors will certainly be in the mix, particularly as it relates to
cyber-security initiatives. While it’s important to look at what systems
are in place and what state-of-the-art technology should be employed to
mission-critical networks, one cost-effective element for thwarting the
next threat is often overlooked: training.

Here’s the cold, hard reality. No new-fangled anti-virus, anti-spam or
firewall system will prevent a sophisticated hacker from infiltrating a
company’s database if employees aren’t practicing tried-and-true safe
computer practices. Organizations are usually hacked from the inadvertent,
nonmalicious but nonetheless unsafe activities of its employees. Here are
just a few:

1. Employees with a public Facebook account that discloses their complete
name and date of birth could provide a cyber predator the tools to
potentially obtain a Social Security number among other essential
information to successfully infiltrate your business and personal accounts.

2. Shadow Wi-Fi accounts that show up in public places, such as a
conference hall or hotel, can prey on mobile devices that are set to
connect to the nearest open network. They resemble a reputable access point
but instead target business travelers so they will unintentionally expose
all the company information on their iPhone, iPad or laptop.

3. Passwords to multiple accounts are often tough to remember so many
individuals write them down on a notebook or unencrypted file on their
computer or phone. While this is understandable, the result essentially
provides an open invitation to cyber thieves.

4. An employee receives an email from someone he or she doesn’t know,
clicks on the link as directed and instantly malware permeates the
company’s network. It wasn’t a malicious act by the teammate.

This last point brings up an important element that should be part of any
corporate cyber-security training program: Every organization is vulnerable
to an attack. Some managers will think their firm is too small for a
virtual thief to consider attacking. The opposite is quite true. Smaller
companies are often easier targets. An organized criminal group based
overseas can go after millions of small businesses at the click of a mouse
and rack up huge payoffs with scarcely batting an eye.

Companies need to emphasize to members of their team the importance of safe
computer practices that go well beyond appropriate websites to surf during
office hours. Cyber-security activities of employees should be given the
same care and concern as showing them how to safely leave the office
building after hours.

Now all this doesn’t mean that organizations should ignore their network
architecture, security patches, disaster-recovery policies and a
threat-management system. All these elements remain crucial to an effective
information assurance strategy. But failure to adopt training programs that
effectively remind and reward employees for prudent computer practices will
leave a gaping hole in a company's ability to thwart the next threat.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!