How to spot your biggest security threat? Just look out for the humans
If you’re wondering why, here’s a primer
Sponsored Post How would you describe the biggest security threat to your organization? Perhaps you envision a faceless cybercrime syndicate or hostile state. Or a humming botnet, remorselessly probing your systems.
As SANS Institute senior instructor Lance Spitzner explains in this analysis of Verizon's latest Data Breach Incident Report (VZ DBIR), your biggest security threat is actually the humans you work with day in, day out.
The VZ DBIR has provided a global, vendor neutral insight into the most common drivers of cyber security incidents and breaches for the last 15 years, enabling IT and business leaders to make data driven decisions on the greatest risks facing their organizations, and how to manage them.
The latest report shows 82 percent of breaches involved a "human element", in the form of stolen credentials, phishing, misuse, or, perhaps, most frustratingly, user error.
Credential problems account for almost half of non-error, non-misuse breaches, while phishing accounts for almost a fifth. And almost 20 percent of breaches are down to "simple mistakes" such as emailing the wrong people with sensitive data, or misconfigured cloud accounts.
Vulnerability exploits, by contrast, account for less than 10 percent of attacks.
Does that mean we should stop worrying about vulnerability management and botnets, and switch to an entirely introspective defensive posture?
Of course not, because the same criminal enterprises who are exploiting software vulnerabilities are invariably the same ones who are exploiting human vulnerabilities too.
But you can ensure those risks are baked into your overall security strategy by developing a Security Awareness Maturity Program that doesn't just seek to make people comply with a series of tick boxes, but actively changes their behavior and ultimately creates a secure culture.
And you can start with SANS Institute's course, Managing Human Risk: Mature Security Awareness Programs, which draws lessons from hundreds of such programs around the world.
Led by Lance himself, this two-day program will help you understand the Security Awareness Maturity Model, and how you can apply it in your organization, in line with its strategic priorities.
You'll learn how to balance awareness, education, and training, and take your own program to the next level. And it will show you how to assess your human risks, and the appropriate ways to manage them.
Employees don't operate in a vacuum, so you'll also learn how to leverage up the minute Cyber Threat Intelligence and understand the tactics and techniques attackers use in human-centered attacks.
All of which will set you on the path to not just changing your workforce's security behavior but changing its underlying culture.
Being human, you have other demands on your time, so you'll be pleased to know the course is available in person at SANS events, as well as its Live Online, and OnDemand platforms. So, why not head here and choose the right program for your organization, and all its vulnerable humans.
The SANS Annual Security Awareness Report is now live. Download it to unlock actionable insights to growing and maturing your security awareness program to excel at Managing Human Risk.
Sponsored by SANS.