Mar 26 2019

Flipping the Script – Users Are Your Greatest Security Asset

You’ve heard the statistics, read the headlines, fell for the click-bait, and jumped on the bandwagon to say with conviction statements like: “More than 50% of cybersecurity incidents are due to user error”, “Users are your greatest cybersecurity weakness”, “Users are the weakest link in the cybersecurity chain” – the list goes on and on.

It’s time to flip the script and understand that users are your greatest cybersecurity asset.

It’s easy to simply assign blame. And the statistics are accurate; however, the risk resides at many different levels within a company.

[ Read: The Answer to Your Data Risk Management and Compliance Dilemma ]

Typically companies devise dynamic ‘accountability’ practices – aka punishments – by delivering training and testing employees’ cyber awareness, then imposing sanctions on failures of those metrics.

This sounds like a reasonable approach; that, by warning employees if they don’t absorb the cyber training concepts and integrate them into their day-to-day activities, punitive actions may take place.

The logic here is that this approach ensures the training lessons were understood by the employees as they were intended, thereby reducing the attack surface and in worst case scenarios – removing users from the equation.

If companies invested more into their greatest assets they would become more than the sum of their parts.

Policies and procedures for practical remediation of adversarial threats as well as remediation controls for accidental threats must exist. Support in the budget, key stakeholders defined, and reporting lines must all be well developed to incorporate a cyber-aware culture.

Combining this with additional procedural and technical risk controls, companies can reinforce the Enterprise Risk Management Framework and reduce residual risk.

But cybersecurity isn’t easy. In fact, ‘Layer 8 Security’ comes from just that inside joke, which I’ll briefly explain.

There are seven layers to the Open Systems Interconnection (“OSI”) Model

The informal eighth layer, at the top, is typically considered as the ‘User.’ Us. Human beings.

We base much of our philosophy around the human layer of cybersecurity, and have that same focus when we serve our clients.

[ Read: Why Layer 8 Security Became HITRUST Assessors ]

This starts at the C-Level and trickles down and across the organization.

Doing things such as instilling the cultural directives, ensuring awareness via training, instituting security and privacy in a structurally sound lifecycle framework, and recognizing individuals who make a difference – building a community of cyber-aware employees that work together in a fun, engaging, and rewarding experience to become your greatest cybersecurity asset.

Education to ensure awareness, quizzes to challenge and enforce recognition of threats, policies, and procedures on reporting incidents and recognizing when an incident was averted by a user is the method that we use in our Information Security & Privacy Framework.

There are more than a few factors that combine into a layered defense plan to combat the relentless onslaught of cyber threats.

By using your greatest asset – the user – you can deploy yet another, powerful layer to help proactively “identify, protect, detect, respond, and recover” from threats and, ultimately, deploy a powerful asset to reduce risk.

Image by Alan O’Rourke