Security has always been expensive, and it's getting worse. In fact, a recent survey shows 60 percent of enterprises in the U.S., Canada, UK and Australia increased their IT security spending since last year. Of the U.S. companies surveyed, nearly 50 percent said a cyber attack would cost them $15 million.
The high price of defending against cyber attacks exposes an age old problem in information security: how do you balance security requirements with maintaining your business's bottom line and ability to deliver service? The average business doesn't have an extensive security team or IT budget to stay on top of emerging threats – like spearphishing attacks, malware and trojans – and even large enterprises must focus the large portion of their IT resources on day-to-day, mission critical operations rather than on cutting-edge security.
The fact is, there's no single technology solution that will address today's most urgent security woes. Instead, companies must ensure that they're not just investing in technology, but also nurturing a security-conscious workplace culture – a “human firewall.” This human firewall has three main components: employee education, minimizing human error and getting ahead of new threats. But the main objective of a human firewall is to raise the awareness of end users or employees to such an extent that they become a solid line of defense against attempts to compromise your systems or organization. Building a human firewall is more than just providing one-off security training, and it's more than telling your users what's bad and giving them boundaries. A human firewall seeks to stop humans from being the weak point in organizational security, by upgrading users to think securely.
Education must involve every level of the organization, and not simply treating security training as a compliance based “check-box” chore; there is much debate about the value of security training anyway. We train users not to click links in unexpected emails, yet they still do even after hours of training and publicity of the risks. Spearphishing in particular is a risk that is hard to explain to many end users, due to the nature of well-crafted emails and social engineering. Educating users here is very much a one-off or point in time effort, which rarely relates directly to the end users' experience in their inbox.
Decision makers need to realize that classic, anti-virus vendors can't protect their business from emerging threats like spearphishing, and the old fashioned firewall is no longer a clear line between clean and dirty networks. To truly protect corporate data, all employees must be taught to think like security professionals, or at least be cautious enough to think twice before acting. For example, they must treat every email in their inbox with care, and avoid clicking links that appear suspicious, out of context, or plain out of the ordinary. They must also pay attention to the URL and vet the source of the email.
IT departments are not excluded; they need education too, particularly in how to implement policies that are secure but also aren't so restrictive that they disrupt the flow of business. IT should also be aware of their own vulnerability – for example, IT teams often have elevated administrative privileges on the network, as well as weaker controls for email attachments and internet browsing. As a result, administrators have become the defacto target for attacks, as they allow an easy pivot point to gain access inside the network.