Businesses need to invest in education to tackle cybersecurity
A view of London, sites and businesses. Image by Tim Sandle (Digital Journal).
With October 2021 being Cybersecurity Awareness Month this serves as an opportunity to remind enterprises to recognize the importance of securing their organizations against today’s top security threats.
Looking into the 2021 themes for Digital Journal is Matt Sanders, Director of Security at LogRhythm.
Sanders explains that: “Cybersecurity Awareness Month serves as a great reminder for enterprises to recognize the importance of securing their organizations against today’s top security threats.”
With the 2021 focus, Sanders explains: “This year has been a hotbed for cybersecurity hacks and breaches, with increased attacks on our government and critical infrastructure entities like we have seen with the Colonial Pipeline, Solarwinds, JBS, the attacks on California and Florida water systems, and many others.”
The escalation of attacks is a matter of significance, Sanders adds: “Though attacks continue to rise in numbers and impact, companies are still not prioritizing cybersecurity. A report earlier this year found that just 7 percent of security leaders report directly to the CEO, revealing an inability for security leaders to influence real change within an organization. In order for organizations to achieve the necessary organizational visibility and influence to effectively build a security program and mitigate increasing threats, security leaders such as CISOs and CIOs must report directly to the CEO. This structure allows the CISO to directly communicate potential risks to the organization, mitigate potential risks and influence each function in the organization to create greater security awareness.”
Following on from this point about businesses cognizance, Sanders states: “While it’s essential for CEOs and security leaders to be aligned, everyone within an organization has a responsibility to protect the data and systems they access. Because people are the last line of defense against attackers, all employees should be trained by their organization on how to identify and avoid attacks, including phishing emails, insider threats, social engineering and web browsing risks. In addition to identifying attacks, it is important that employees know how to report suspicious activity and feel that their reports are appreciated for helping to protect the organization.”
There are other measures that need to be considered as well. Sanders recommends: “Organizations should also remind employees of policies regarding securing mobile devices, BYOD, protecting passwords and improper use of equipment. Sometimes these policies are ignored or intentionally bypassed without security teams knowing because users find them inconvenient, leading to greater security risk. It is important to explain why these policies are in place and how they help to protect the organization.”
Looping these themes back to the October events, Sanders says: “This month is a great opportunity to for security leaders to revisit how they are communicating with their CEOs on security priorities and for organizations to prioritize security education and training for their employees.”
Other ideas to consider include: “While the relationship between CISOs and CEOs is necessary for prioritizing security from the top-down within an organization, training and awareness of all employees is a bottom-up approach. When both approaches are executed, organizations can build an effective security program and reduce risk to the business in the face of persistent security threats.”
Gloss