As an organization focused on delivering effective security awareness training and changing employee behaviors, we’ve long emphasized the end user’s role in creating a strong security posture. We’ve also spoken about how end-user risk management involves everyone — including IT staff. Infosec professionals traditionally define “end users” as non-IT employees. But IT is not immune to human error. Technical safeguards are essential, but implementation, management, and patching of security hardware and software all require human hands. That’s why we strongly believe in creating a culture of security in which cybersecurity becomes an end-to-end, side-to-side pursuit — an approach that requires a marriage of strong technical components and a focus on changing the lax user behaviors that elevate risk.
Identifying Avoidable Issues
The recent Cyber Incident & Breach Trends Report by the Online Trust Alliance (OTA) echoes this message. The OTA’s analysis of security breaches reported through Q3 of 2017 “found that 93% were avoidable, which is consistent with previous years’ findings.” This indicates that, though the number of incidents are continuing to grow, organizations have many opportunities for prevention and avoidance across all levels and job functions.
According to the OTA report, these are the “key avoidable causes for incidents”:
- Lack of a complete risk assessment, including internal, third-party, and cloud-based systems and services
- Not promptly patching known/public vulnerabilities, and not having a way to process vulnerability reports
- Misconfigured devices/servers
- Unencrypted data and/or poor encryption key management and safeguarding
- Use of end-of-life (and thereby unsupported) devices, operating systems, and applications
- Employee errors and accidental disclosures — lost data, files, drives, devices, computers, improper disposal
- Failure to block malicious email
- Users succumbing to business email compromise (BEC) and social exploits
Getting Back to Basics
The report advises that organizations of all sizes need a stronger focus on cybersecurity fundamentals in order to reduce the number of avoidable incidents. Equifax’s breach is called out as an example in the study, with the OTA stating that the incident “not only underscores the breadth of the problem and its cause (lack of basic security update actions), but highlights how rigor may be lacking even in organizations we view as expert.”
According to the report, “Preparation includes an overall culture of data stewardship through all phases of the data lifecycle — from collection, to storage, to use, to transmission, to destruction/archive.” These are the fundamental principles the OTA advises all organizations to acknowledge in their pursuit of cybersecurity readiness:
- All businesses collect some form of sensitive, valuable information
- Cyber incidents will occur
- Data stewardship, privacy, and incident readiness are everyone’s responsibility
- Data management and privacy practices need continual review
- Every organization needs to have a current, tested response plan
- Ongoing employee training is a critical key to success
The OTA also emphasizes the “economic value of readiness,” which will only become more apparent with standards like the General Data Protection Regulation (GDPR) in the mix.
For more advice and guidance, access your free copy of the OTA report here.