With limited IT budgets and increasingly-stringent regulations governing data breaches and the processing of personal information, the decision of how to best implement a cyber defense strategy is a difficult one. Most cyber defense products fall into one of two categories: user security awareness training or cyber security software. In this post, we explore some of the advantages and disadvantages of each approach to a cyber defense strategy and provide some suggestions on how to build effective defenses for your organization.
The Case for Training
According to RSA’s Quarterly Fraud Report from Q1 of 2018, 48% of observed cyber attacks were phishing emails, while other sources estimate that 95% of successful cyber attacks start as a phishing campaign. This success rate is unsurprising when you consider that 30% of users will open a phishing email, and that 11% will click on a malicious link or open a malicious attachment. Defensive software can be of limited use against phishing emails, since the emails take advantage of human psychology to achieve the attacker’s goals and may be virtually indistinguishable from legitimate messages.
Phishing emails are only the tip of the iceberg when it comes to threats arising from end users. As acting in a security-conscious manner usually requires extra time and effort, security and usability are often seen as being in conflict. It is also not uncommon for malware authors to bundle malicious code within other software and offer it free or at a steep discount to induce people to use it. Antivirus programs slow down computers, while proper password hygiene requires users to maintain different strong passwords for each account. Untrained users, who can disable or bypass many of the technological defenses, can be an organization’s greatest cybersecurity weakness.
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/lxssQBvmB2s/