5 Powerful Tips to Boost your last line of defense and Security Posture

Written by djonon

14 December 2022

last line of defense

Companies, regardless of their size, are target to cyber-attacks, after all, you simply need to check the news to realize how serious of a problem it has become. According to Varonis, 2021 saw a near 50% increase in the number of weekly attacks compared to 2020, while the average cost of data breaches rose to a 17-year high ($4 million per year) in 2021. What’s very interesting is that, although phishing has been around for at least a few decades, the majority of data breaches are still occurring with phishing at its core. Therefore, all the players within the company must be aware of this and actively participate in the protection of sensitive data within the organization.

Regardless of how good our security technology is or becomes, there will be a percentage of attacks that slip through the technology or bypass the technology entirely. Humans will be your last line of defense in cases where these are not machine-to-machine interactions. Not training employees is therefore unwise and negligent.

Employees your last line of defense
last line of defense

How Organizations can Build their Last Line of Defense and Boost their Cybersecurity Postures

Here are some tips that can help security teams build their last line of defense and boost security behavior in their organization.

#1.Instill a behavior change in your employees through a comprehensive cybersecurity awareness training program

Improving the security posture of your organization starts with the establishment of a comprehensive cybersecurity awareness program. Your security awareness program should address the ever important “why.” Why should people care about it? Why would it appeal to them in the first place.

Your security awareness program should encourage your employee’s participation in adopting good practices in cybersecurity including the drafting of an effective data protection policy. Its content may vary depending on your organization’s sector of operation, however, it must be clearly written and understood by all. Employees must be aware of data considered sensitive within the organization and know how to protect it effectively.

Also, instead of traditional classroom exercises, VirtualDoers recommends that employees be subjected to simulated phishing attacks. Simulated phishing attacks have the advantage that they provide a fail-safe environment for your employees and allows them to fully understand the consequences of their actions and form corrective behavior. Repeating such simulations over time creates reflexive behavior in employees that helps them make the right security decisions, no matter the type of distraction. This healthy form of skepticism must be embraced, encouraged, and celebrated at all levels and should serve as an important foundation of the organizational culture and routine.

#2. Ensure that your cybersecurity awareness training program is Kept Relevant

Organizations need to understand that their employees are human and therefore that, different people across the organization have different levels of sensitivity, competency, and security maturity, and therefore businesses must build their programs around it.

There have been stories of organizations imposing sanctions, including suspension, on employees who persistently fail security tests. The question is whether it’s really the people who are at fault. “Both employers and employees are on the same journey; employees rarely actively seek out to harm their organization. If employees are failing tests repeatedly, the best way to consider this is to understand why, so their engagement and related security behaviors can be addressed.

Employees inclined to bad security hygiene habits or who exhibit lower security maturity or competency may need personalized coaching and handholding. Dishing out blame will not work There’s a real danger that, in handing out blame, you could weaken your organization’s security.

Furthermore, Naming and shaming should only be used as last resort. If a serious security situation arises, some blame may be appropriate. There should be a consequence for gross negligence or willful failure to follow policy, but these should be in extremis, not routine.

#3. Put in place an effective Communications and Messaging system

Getting your employees to engage in your cyber-security program requires education and patience. It’s a long-term communication process that you need to take. You can, for example, remind your employees about security rules in the newsletters sent to all employees, put up posters and stickers in common areas or even provide employees with materials that they can freely consult if necessary.

IT security breaches in businesses are often the result of human negligence. It is therefore essential to educate your employees in cybersecurity, with appropriate training and communication for educational purposes.

At VirtualDoers, we can help with all aspects of your security awareness program requirements, tailored training programs through our educational services, email security, security compliance, managed security services and more. Communication/messaging is the visible face of a company, and security teams lack soft skills. A positive tone and attitude go a long way, especially in the context of security training. As mentioned earlier, be extra cautious in avoiding shaming employees if they fail a test. The entire process must be healthy, transparent, and thought-provoking. Security staff must ensure they have processes in place that encourage employees to reach out without fear of being reprimanded.

#4. Be Honest About Your Goals and What the Culture Will Tolerate

Be honest and transparent about your goals to the wider organization. Use metrics where possible to highlight the current state of security and expected security outcomes. Also, security awareness training never occurs in a cultural vacuum. Get key stakeholders and senior management onboard since culture is typically driven from the top down. Stress goals repeatedly because behavior change cannot be sustained without constant reinforcement. Measure things (before and after) so that you can report them and tell people about the success of the program. Start by giving them a sense of purpose and reinforce that with a sense of achievement; people feel good when you start bringing them quantifiable numbers, and you start showing them how well they’re doing.

#5. Give Your Last Line of Defense Tools to Succeed

Provide employees tools to be successful. Studies show that when employees are provided with a simple “phish alert” button, employees are able to report phishing emails with a high degree of accuracy. Similarly, having a security hotline in place can help immensely because users are hesitant to report phishing activity due to lack of transparency in the IT process and a lack of swift responses from security teams. Some simulation tools even provide visual cues like social engineering indicators or red flags that guide employees on what they could’ve done better once they have been successfully phished.

It’s time to step up our game. Unfortunately, even when organizations implement a security awareness training program, they fail to do so as effectively as possible for a variety of reasons, but, primarily because they haven’t successfully bridged the gap between awareness and caring or the gap between knowing and doing. As an industry, we can do better, and we certainly have a lot to gain by doing so.

Sign up – no credit card or commitment needed.

Try our videos and Employees Risk Assessment for free!

Related Articles

Effective Cybersecurity for SMB: Why is it Critical?

Effective Cybersecurity for SMB: Why is it Critical?

In today’s digital world, cybersecurity for SMB (Small and Medium Businesses) is vital for small businesses to thrive, or at least survive. Cyber attacks continue to dominate the headlines, with a particular focus on well-known firms. However, research shows...

Shoulder Surfing Attacks: How to Annihilate Them

Shoulder Surfing Attacks: How to Annihilate Them

A shoulder Surfing Attack is a social engineering technique where an attacker simply looks over someone’s shoulder to get confidential information. It could be as simple as when a person is entering their PIN in an ATM or when a person is entering the username and...

The Unseen Threat: How Shoulder Surfing Puts Your Privacy at Risk

The Unseen Threat: How Shoulder Surfing Puts Your Privacy at Risk

Shoulder surfing is a form of visual eavesdropping in which an individual observes, or "surfs," the activities of another person, typically with the intent of gathering sensitive or confidential information. This technique involves someone looking over the shoulder of...

Stay Up to Date With The Latest News & Updates

Cybersecurity for  Executives

Are you a Manager or a busy Executive?

This course will equip you with the framework, vocabulary and understanding of cyber risks, and will give you the confidence to take the lead in cybersecurity initiatives

Join Our Newsletter

Subscribe to the VirtualDoers newsletter to receive our monthly publications!

You can unsubscribe at any time

Stay Connected!

Follow us in our networks