![]() ![]() ![]() Users can’t click or open what they don’t have access to, and in the organizations we assess or remediate post breach, we see employees and systems having far greater access and risk exposure than is necessary in the course of work. Systems are too open by default we must make them closed by default, evaluate each for risk, and then allow them with full intentionality. Organizations must work to block access and orchestrate security controls. For many organizations, this requires some difficult choices and significant leadership endorsement of these choices. ![]() But we must start looking at our security in a way that helps remove end user risk from the equation without a reliance on them to do the heavy lifting. ![]() We would likely see even more large breaches without this training. Strong security requires a layered approach, and that means fortifying your security by working to secure every doorway to your organizational systems. Should we be training our end users? Absolutely, emphatically, yes. And, in the end, even if an end user is breached, the amount of systemic damage that is done by that compromise should not be possible if proper security measures are employed and orchestrated correctly. From these facts, we should conclude that organizational security must not rely heavily on securing the end user, and in fact, should assume they will be breached and begin securing systems with this assumption in mind. A survey conducted to prove the need for more security training, in my view, proved its inability to stop the cyber crisis: four out of five surveyed had received security awareness training between 26-44% (based on age demographic) continued to click on links and attachments from unknown senders anyway. Sad, unavoidable fact: our users are still going to make mistakes-we are all human, after all. Fact: Despite all these investments, ransomware (just as one attack type example) is also expected to grow aggressively, despite many organizational efforts including training end users. Fact: This is despite aggressively increasing investments in security awareness training over many years, which is expected to continue– The cybersecurity awareness training market is projected to grow from USD $1,854.9 million in 2022 to USD $12,140.0 million by 2027 and a CAGR of 45.6% from 2022 to 2027. So, focusing primarily on securing the end user isn’t an effective strategy.įact: your users are a major risk factor: according to Verizon’s 2022 Data Breach and Investigations Report, 35% of ransomware infections began with a phishing email. Fortune 100 companies pour significant investments into annual user security awareness training, and still, they suffer breaches. But what is also obvious is that we cannot train our way out of this problem. Obviously, threat actors target our users with real-world bad outcomes. They expand our threat surface to each geographically dispersed user, personal device, and their potential for making errors that impact our security. Systems and software are in our control but end users are unpredictable. Cybersecurity professionals commonly blame the end user for being the top area of risk in securing the organization. ![]()
0 Comments
Leave a Reply. |