Nearly all major data breaches and ransomware incidents have human error as a common component of root cause. Many security professionals secretly think: "If I could just get rid of the users, I could have perfect information security" or say: "the root cause of all security incidents is always between the chair and the keyboard." Obviously, this is neither reality nor an effective strategy.
I prefer to take a more optimistic approach and believe that your user base can become the #1 control in your security strategy and help resist cyber-attacks if you:
Provide successful security awareness training
Harden your business processes against attack
Inspire critical thinking for your employees
Tip #1: Teach employees about protecting their credentials
Cyber attackers always want to compromise your employee's IT credentials as the first step in a data breach or major ransomware attack. That's why the Cyber Attackers send spear phishing emails to your user base, using social engineering to trick your workforce into typing their username and password into what looks like a corporate website or cloud service like Office 365. An industry best practice is to educate employees through security awareness training on how to spot these social engineering and phishing email tricks, and try to prevent the attackers from being successful. However, whether your company is 380 employees or 380,000 employees, you will never achieve 100% resistance against these attacks because the threat is always changing their tactics.
Most companies are considered best-of-breed in security awareness training if they can get 90% of the employees properly trained. All it takes is one employee to fall victim to a phishing or social engineering attack, and the first step in the attack is completed. Security Awareness is absolutely a "must do", despite being a great investment in time and resources. But you still must be prepared for that 10% failure rate and have a backup plan to backstop these mistakes.
Recommended Technology Backstops:
Multifactor login for an additional factor of authentication stops more than 90% of threat actors from compromising your employee's credentials.
Use modern network access controls, such as Zero Trust Models, that identify not only that the user is approved, but the machine the employee is using to login is also approved to connect to your corporate network.
Ensure your password reset process is secure and can't become a point of attack.
Design your login procedures to have a technical limit for unsuccessful attempts so threat actors cannot use brute force via endless password attempts.
Tip #2: Build business processes that are "hack proof"
Many successful cyber-attacks target your insecure business processes rather than just the IT systems that support those business processes. Some of the most lucrative attacks involve a threat actor sending a fake email to a finance organization employee appearing to be from the CEO or CFO, which then directs them to electronically transfer funds to their own rogue bank account. Another popular attack vector is to compromise one of your vendors' email systems and submit fake invoices to your accounting office, which are then paid without any real due diligence or official approvals.
While the cyber component of the attack is sending the fake emails, the true vulnerability being exploited is in the management process itself. No matter how large or small the company, there should never be a transfer of funds or payment of an invoice approved by just an email. A formalized internal approval process, that is not public facing, using an accounting and/or finance application to manage approval workflows is one way to prevent such attacks. You can apply this logic to any business process that might appeal to both internal and external threat actors.
Tip #3: Nurture critical thinking and anomaly detection in your workforce
Security awareness training alone is not enough. Teaching employees to look for threat attack vector patterns will have a short-lived time of value as the threat will continue to evolve their techniques and methods of attack. Critical thinking skills should be one of the top attributes employers employ in the hiring process. Critical thinking is defined as "objective analysis and evaluation of an issue in order to form a judgement."
In this context, we hope the "judgement" our employees form is to interpret anomalies as potentially high-risk, and then take the appropriate actions to mitigate that risk. We have observed many social engineering calls where the threat actor portrays themselves as IT support. While we can train our workforce to "be on the lookout" for this type of social engineering, it does not require much effort for the threat actor to change tactics.
So, instead of just training your workforce for the known threat, you should also encourage them to use good judgement and apply critical thinking to avoid problems or report any anomalous activity. Critical thinking can be nurtured in the workplace, but not necessarily taught in many cases. Many companies are using advanced testing during the hiring process to identify candidates with advanced critical thinking skills. I believe it's a good strategy to make this a hiring imperative, and then nurture a culture that rewards good judgement.
The most effective security strategies require multiple layers of protection. So, taking a comprehensive approach to investing in training, technology, process hardening, and strategic hiring will make your workforce your most valuable security control.