A central component of every cybersecurity program is vulnerability management—identifying weaknesses in the organization’s security posture and implementing controls to address them. Unpatched operating systems, poorly configured firewall rules and unencrypted databases are all chinks in an organization’s cyber armor, but the most critical cybersecurity vulnerability is people.
Whether it’s an exhausted, distracted salesperson unknowingly clicking on a phishing link or a disgruntled network administrator exfiltrating sensitive customer data, an organization’s own people are the common denominator in most successful cyberattacks. The 2021 Verizon Data Breach Investigations Report showed that 85% of security breaches involved a human element.
Hybrid Workplace Vulnerabilities
Last year’s sudden shift to remote workforces forced by widespread COVID-19 lockdowns is giving way to hybrid workforces that are likely to be the new normal. This hybrid work era brings with it a multitude of security challenges, such as employees logging on from unsecured home networks or sharing work devices with family members. In a recent study, 74% of organizations impacted by a cyberattack pointed to remote work vulnerabilities as the cause.
The transition to remote work has coincided with a surge in social engineering attacks, such as spear-phishing. By compromising trusted email accounts, or leveraging publicly available information on sites like LinkedIn, adversaries are able to send legitimate-looking, well-crafted phishing messages that target specific employees. These attacks can be extremely convincing and difficult to detect, even for employees trained to identify phishing attempts.
To adapt to the changing workplace, many organizations are turning to zero trust principles, which assume that all users and devices are potential threats. By implementing practices such as least privilege, multi-factor authentication and network segmentation, security teams can mitigate the risk posed by their own workforce.
The First Line of Defense
Another effective approach is to invest in cybersecurity awareness and training. A workforce that practices proper cyber hygiene is less vulnerable, and alert, cyber-informed employees serve as an added layer of defense, pointing out bad practices and reporting potential threats. Here are some best practices for training a hybrid workforce:
- Implement general awareness training for all staff members and targeted, role-based training for personnel who have elevated responsibility or risk, such as IT staff, security team members and executives.
- Conduct phishing attack simulations.
- Provide insider threat training.
- Use key performance indicators to measure security awareness and training effectiveness.
MBL Technologies offers general and role-based training, including both off-the-shelf curriculums to quickly meet a compliance or technical skills gap, and custom-built programs mapped to your organization’s specific workforce development goals. We can help transform your workforce from your organization’s weakest link to its first line of defense.