Though an organisation itself will bear the brunt of the consequences of such attacks, it should not just be the responsibility of the organisation to prevent cyber attacks. Organisations should make sure that their employees are aware of the risks and how to prevent them and, therefore, education is key. Further, a marriage between user awareness and technology is needed for increased vigilance and improved cyber security. I spoke to Simeon Tassev, MD and QSA at Galix, about the importance of user awareness and education, addressing user behaviour and the responsibility of both users and organisations in addressing cybercrime.
Simeon Tassev: The main reason is the clear responsibility for the security awareness training - is this IT, IS or HR responsibility? Once the responsibility is defined, the proper security awareness programme needs to be implemented and not just an exercise to "tick the box"
Tassev: Clear security policies and procedures need to be defined by the CISO and enforced by the relevant department heads and HR. Bad user behaviour affecting the security of the organisation needs to be a serious offence with serious consequences including dismissal.
Tassev: The employee needs to be accountable for his actions provided that the employer has the relevant policies and security controls in place.
Tassev: Technology should be an essential part of the security awareness programme, allowing for simulated security breaches and easy access to relevant documentation and training materials. Technology should also be used to prevent potential security risks due to human behaviour.
Tassev: A good user will try and understand the security policies in place and the potential impact of his actions.
Tassev: Think before you do (you didn't play the lotto so you can't be winning). Question if somebody asks you for personal information (why do they need it, are they supposed to have it). Ensure that you have valid Anti-Virus software before connecting to the internet.