Minerva Studio - Fotolia
With all the defenses thrown at information security, most organizations are just a click away from an employee downloading potential malware and undetected viruses. Yet, according to a CompTIA survey of HR professionals, only one-third of U.S. organizations require cybersecurity awareness training for employees. And in more than half of the companies surveyed, it’s the CIO or director of IT who decides whether to provide mandatory security training. What exactly is going on?
Spear phishing is suspected as the lynchpin that started the Sony Pictures Entertainment hacking incident -- an employee likely opened a targeted email and clicked on a malicious link. The hackers stayed in the movie studio’s network undetected for months, according to several reports, including a detailed account in Vanity Fair, mapping the infrastructure and preparing to hold the company’s data “hostage.” The attackers made their presence known in late November with vague demands, and then released humiliating data publicly over several agonizing months in a series of eight information dumps.
Think you’re immune to this type of scenario? Not so, warns the SANS Institute’s CTO Johannes Ullrich, who heads the Internet Storm Center, in his cover story on emerging cyberthreats. Crypto ransomware, which has proved lucrative for attackers, is likely to target more enterprises in the year ahead.
In addition to preventive strategies like education, security researchers such as White Ops’ Chief Scientist Dan Kaminsky are talking about faster detection and response to socially engineered intrusions. Sally Johnson interviewed Kaminsky for her article on the dynamics of social engineering and found a shift in defense strategies toward data-centric protection mechanisms.
Lack of cybersecurity awareness is becoming less acceptable. In addition to calls for shareholders to hold the top executives accountable for costly data exposures, similar tactics can be employed with third-party vendors. Organizations should require the CEOs of contractors to sign off on all service-level agreements, Rebecca Herold tells Marcus Ranum in a wide-ranging Q&A on data security and privacy best practices. Herold, CEO of the Privacy Professor, has conducted numerous surveys for clients that indicate third-party IT technicians who are responsible for enforcing service-level agreement security measures have no idea what’s actually been promised in the respective agreements.
While companies continue to throw money at information security, many enterprises could get away with fewer security staff if they focused on getting the basics right. At least that’s the view held by John Pescatore, SANS’ director of emerging trends, who feels that way even though he works for a global security training and certification institute. Technology journalist Alan Earls interviewed Pescatore, among others, for his in-depth look at cybersecurity hiring trends.
So what’s the upshot to all of this? Little to no training, lack of cybersecurity awareness, and being uninformed are no longer tolerable excuses for vulnerabilities that expose organizations, and the sensitive data they are responsible for protecting to damaging breaches, even when the security weakness is traced to a third party. As Derek Bok, who twice served as Harvard University president, once said: If you think education is expensive, try ignorance.