By News Staff
Cybersecurity is a shared responsibility. While technology plays an important role, organizations can't rely on it alone. 74% of all breaches involve the human element – people unwittingly fall prey to threat actors either by way of error, privilege misuse, stolen credentials, or social engineering, according to Verizon's 2023 Data Breach Investigations Report.
"One of the biggest myths is that technology alone can protect you," says Fred Kwong, DeVry University's chief information security officer. “Unfortunately, that's just not the reality. Education and awareness are essential."
To build a strong security culture, organizations need to focus on people and processes in addition to technology.
The first step is creating an inventory of your systems and data.
"You can't protect what you don't know about. If this task seems too daunting, break it down. Start with what your business considers as critical systems. These should include those that help operate the business, but also systems that contain the most sensitive data."
Kwong says it's critical for organizations to assess vulnerabilities and risks to prioritize their efforts. Implement tools like firewalls, antivirus software and multi-factor authentication to strengthen your systems and network.
"Threat actors are continually using different attack vectors to gain access. Unused services are often left in a default state which can be prone to compromise. Securing systems should include the use of enhanced authentication to the devices as well as encryption capabilities. Technologies such as firewalls, endpoint detection and response and antiviruses are key components to help provide a robust defense."
Next, review and control access to accounts, credentials and data. Practicing disaster recovery and cyber resiliency is another key component of cyber hygiene.
"Organizations need to ensure in the event of a disaster or a significant disruptive cyber event, they are able to quickly restore their systems and network to continue their business. Response readiness is key to minimizing impact."
The final step in your process should be education and training.
"Employees are the first and last line of defense when it comes to cybersecurity. Ensure employees are trained on how to identify threats and protect data," adds Kwong.
But education isn't just at the beginning of an employee's work cycle. Organizations should provide continuous reinforcement for everyone in the organization, at all levels, through awareness and phishing campaigns to keep security top of mind.
No doubt, with the right blend of people, processes and technology, you can build a cyber-resilient culture. Focus on understanding your systems and vulnerabilities. Reinforce your systems and control access, monitor vigilantly, prepare and practice response and engage employees through education and awareness to make security second nature.