Building a cyber resilient workforce for is critical to a cyber security program for all companies. According to Verizon’s 2022 Data Breach Investigations Report “This year (2022) 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.”
We will be discussing the business best practice for the following three areas within this report to help create a cyber resilient workforce:
- Candidate Screening Practices
- Cyber Training
- Testing of the Workforce
When screening candidates, it is important to identify the types of information and systems they will have access to based upon their job role as well as the impact on security they can have if they were an insider threat to the company. Criminal background and employment history checks can be used to identify past behavior of fraud. Additionally, determining if the candidate was honest about the disclosure of criminal history can be an indicator if they are trustworthy or not. Credit screening (where allowed by law) is also another pre-employment check that can identify motives for financial fraud within a company.
Security awareness training has been around for a long time. Traditionally, training is given to staff upon hire and annually thereafter. And while that does satisfy most legal and regulatory requirements, the industry has shown that more frequent training benefits the workforce more than once a year training. Additionally, not all training is created equally, it is important to take a look at the training offered and determine if there are interactive content that engaging and helpful to the end user or not.
Email spam filters and other technologies have been developed to assist organizations in dealing with phishing attempts of their employees, but no technology will be able to block 100% of phishing email. That is why it is so important to test the workforce to identify weak areas and use that as an education opportunity to help strengthen your information security. It is important that those that fail the phishing tests are subjected to additional training to help them better identify phishing emails in the future. Additionally, those who identify the email as phishing but do not properly report the incident should be educated that all phishing attempts need to be alerted so that the email can be scrubbed system wide and while they did not fall for the attempt, others might within the organization.