This immediately poses the question: Are you and your service providers training users on cybersecurity? We need employees to master security, not just to be aware. The employee awareness programs that most auditors are after are a good start but not enough to make sure that your employees act as a trusted line of defense. Trust but verify! With successful Business Email Compromise (BEC) scams on the raise Paranoia is the only effective defense.
This is the 8th post on my Secure Translation series, and this time I am discussing the lack of strong employee security training.
As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.
- Threat: Companies are tempted just to check the box when it comes to employee training as part of regulatory compliance. Unfortunately, just caring about compliance is not the same as caring about security.
- Asset: All digital assets are at risk when employees are not highly trained on security issues.
- Vulnerability: Users with access to confidential information do not truly know how to combat security dangers like phishing.
- Risk: The impact of any single employee not knowing how to actively fight threats like phishing is the highest security risk Companies face today. The likelihood of this happening is extremely high with attacks getting so sophisticated that even information technology professionals fall for phishing scams nowadays.
- Safeguard: Actively craft your own internal ethical attacks, collect statistics like percentage of employees that are failing to identify threats over time, share the statistics openly, help personally those employees that are having trouble with recognizing threats. Make sure not a single user is left behind. Work with the staff, vendors and even contacts for mastery and not for punishment. Do not just ask for audit reports and certifications from your service providers, but in addition ask them for the specific employee training program and proof that such continuous training is happening. Furthermore demand proof about ethical hacking drills performed internally. A service provider like a language service provider cannot provide secure services like secure translations, unless they have a highly qualified cybersecurity program in place. If a single employee or vendor falls for phishing attacks for example, such provider cannot provide secure services. If such providers do not have in place an ethical hacking drill program, they cannot keep your information safe.
You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.