Organizations need to focus on education and training rather than blaming employees for security gaffes, according to the speakers in a panel debate at Computing′s Enterprise Security and Risk Management Live event. John Leonard, who covered the event, says that all the speakers agreed that organizations need to increase cybersecurity provisions and awareness training to build a culture of security.
“Right from the time that you employ someone, you need to make clear ‘this is what we think your responsibility is towards the overall security of our company,’” said Dr. Louise Bennett, management committee member of the Information Assurance Advisory Council (IAAC). “You need people to understand what they are responsible for, what the IT department is responsible for, what the management team is responsible for, and what you're expecting your provider to be responsible for. You need absolute clarity on that.”
Andjela Djukavonic agrees that employees can benefit from knowing everyone’s responsibilities, because this lets them know who to turn to when they have a security concern. For instance, if someone is unsure of an email’s authenticity, it’s essential that they know who to ask about it. If it’s a phishing email, it could compromise the organization’s security. If the email is legitimate, ignoring it could disrupt business operations. “It's knowing who to talk to about it and where to send the email on to so it can be checked,” Djukavonic says.
Employees who have a good understanding of their coworkers’ roles are far less likely to be tricked by certain social engineering attacks. New-school security awareness training can educate employees on these different responsibilities and foster inter-department communication.
Computing UK has the full story, registration required : https://www.computing.co.uk/ctg/news/3066984/stop-blaming-the-user-for-cybersecurity-failings