At the same time, the very words "Cyber Security review" conjures horror, fear and trembling in most IT professionals' minds, the thought that they may have to implement another series of security systems, protocols and processes is truly dreaded. What's more interesting is that when you talk with companies who have suffered a cyber security breach it is notable that the majority will admit that the breach was caused by an end user. People like you and me, people who are not malicious, but have tech needs the corporate IT structure cannot meet.
That means it will be the result of something either you or I did that causes the next security breach. The inadvertent clicking on a link in an email or the website we browsed (or were directed to) at lunchtime or that attachment we opened. The list is endless, the hackers too numerous to count, the security controls and guards are far too few. Added to all of that when "The Cloud" started to permeate into organisations many Security Managers, SysAdmins and SysOps practitioners discovered there were new ways of doing things, new ways of securing things - and obviously, new ways around the controls already implemented.
Perhaps it is also time to change the way we approach cyber security, if as the statistics show security breaches are mostly caused by end user actions, why not take a different approach. Perhaps we need a new operating paradigm. One such example could include regular non-technical seminars highlighting new threats and trends, or an internal website with articles about new and emerging threats. Another idea could be a "Scoreboard" in which there is a running score of total number, type of threat and other interesting information that company employees have received/spotted/stopped/or blocked. I can visualise the end of year awards already - "The winner of highest number of malicious email attachments NOT opened this year, goes to Joan in Accounts".
Human nature is to resist or question the system so making users part of the solution is only one of the many ways to counteract the increasing attack on our computer systems. We like to be part of a team, in fact we're told to be team players. At the end of the day - it's a matter of us; every member of the organisation verses them, the hackers.
*“ITRC Data Breach Reports – 2015 Year-End Totals” | ITRC