As the old infosec adage goes, "people are the weakest link in the cybersecurity chain." Clearly, enterprise security professionals agree with this statement. In a recent ESG research survey, enterprise security professionals were asked to identify the factors most responsible for successful malware attacks. It turns out that 58% point to "a lack of user knowledge about cybersecurity risks" the most popular answer by far (note: I am an employee of ESG).
This data is not unusual; security professionals often bemoan end-user cybersecurity behavior. They don't pay attention in training classes, they click on suspect links, they are easily fooled by social engineering tactics, etc.
Yup, naïve employees are certainly part of the problem, but here's a news flash that's not going to change. Cybersecurity threats evolve rapidly, so much so that many infosec professionals can't keep up. Given this, how can we expect any more from employees?
It's time to take a realistic and pragmatic approach to employees and cybersecurity. How? Based on my discussions with numerous CISOs, best practices in this area include:
When I started my career at EMC back in the late 1980s, then CEO Dick Egan used to say "sales is part of everyone's job description." Enterprise organizations need to communicate a similar message with regard to cybersecurity and back this up with a commitment to continuous education, cultural changes, the right tools and awareness campaigns, a team approach, and a little bit of show biz.