By DAVE COURBANOU //
The chief financial officer or chief information security officer building out a company’s security budget might wonder just how much money is needed to do it right – and frankly, how much money will be wasted.
It’s the right thing to be concerned about – it can be overwhelming. It may be enticing to simply look for a turnkey cybersecurity package that promises complete protection from the firewall to the endpoint, e-mail and beyond, but with such a wide swath of threat vectors to protect against, is a security package the right move? Is it too much, or maybe not enough?
Simply put, if there’s no budget put toward employee awareness training, it’s not going to be enough. Cybersecurity is much more than a technology problem. It’s an issue of human behavior, and even more so changing human behavior, which is hard to do.
A computer can be secured with antivirus protection, a company’s resources can be protected with backups and redundancy, a company firewall can be aggressive and hardened – but none of that technology can stop a human from clicking a link they shouldn’t click and giving up a password.
Dave Courbanou: People power.
In addition, technology designed to protect a company internally doesn’t prevent an employee from making mistakes externally, whether it’s doing business over an unsecured WiFi hotspot or forgetting to use the company’s virtual private network.
That’s why the security budget should also help to build good habits. This investment is invaluable and pays for itself in a short amount of time.
Beyond the regular gamut of awareness training – how to recognize a malicious e-mail, text message or similar phishing scam, for example – you’ll also need to show employees a clear and simple path forward when these situations occur. At the core: never hesitate to contact the IT Department.
Sometimes we’ll hear “we didn’t want to bother IT,” or something similar about how notifying the IT Department seemed like more work than it was worth. We’ve tried to impress during our in-house training that it’s never a waste to contact IT. Compare the time and effort of reviewing a potential phishing e-mail to the time and effort of cleaning up one successful phishing attack, and it’s clear that checking with IT is never wasted time.
Incentivizing the reporting of spam and phishing attacks can be a great way to provide a positive feedback loop and reinforce good habits. Something as simple as a “kudos” e-mail that lets everyone know an employee is a super-sleuth, or perhaps a gift-card bounty at the end of the quarter for “most spotted spam,” can go a long way to building an entire ecosystem that protects itself.
It’s equally important to not over-punish those bad habits. Don’t make employees afraid to come forward and admit a mistakenly clicked link. Instead, compassion, attention and education should help prevent the user from making the same mistake twice.
Such opportunities can also lead to educational one-on-one sessions. Making things personal can help leave a lasting effect that prevents future incidents.
In the end, money is only wasted in the cybersecurity budget if you’ve forgotten the most important element – the human element. Building a culture of security is ultimately the best way to utilize your budget.
Dave Courbanou is IT administrator at Intelligent CloudCare, a division of Intelligent Product Solutions, and the head of CloudCare University.
