As mentioned in Part 1 of this blog series, the 6 Essential Steps to Proactive Prevention are the result of over 40 years of experiences, validated by prevention failures described in detail in post-incident reports AND confirmed by real-world prevention success stories from clients.
The first Step of the 6 Essential Steps to Proactive Prevention is Awareness.
More specifically, Awareness includes situational awareness and updated awareness on an ongoing basis with accountability and measurability at the individual level.
Some or most of you may be thinking that your organization has Awareness covered…YOU DON’T!
First, wipe the sand out of your eyes and ears and then honestly answer the following questions:
Does EVERY individual in your organization know:
• What a spear phishing email looks like and what to do if they receive one?
• How to keep your organization in compliance with Federal / State regulations?
• How to identify suspicious activities, concerning behaviors and potential threats?
• How to use Social Media appropriately and what information they can or cannot share?
• Their roles and responsibilities for different threats and different situations?
• How to make incident reports involving all of the above?
The news headlines and post-incident reports are jam packed with incidents where one individual’s lack of awareness led to an expensive and embarrassing hack, fine, lawsuit, loss of clients and more.
Awareness related frustrations are common and the most common ones involve “repeat offenders and frequent fliers”, employees/students saying they didn’t get that email or saying they didn’t know (even though they signed a piece of paper saying they understand their handbook), too many disconnects due to silos and departmental turf wars, too many meetings, decisions made in meetings are not getting to the individual level and many others.
Here is one example of many…let’s say your organization created a new or updated Acceptable Usage Policy for Mobile Devices and the policy was emailed to all personnel by the Director of your IT Department. What typically happens is employees hastily review the new/updated Mobile Device Policy and maybe even sign off on the new/updated Mobile Device Policy because they have to…but within weeks, days or hours employees are still connecting their Mobile Device to their work PC to share/listen to music or they are using their Mobile Device to send work related emails – and they do not have any anti-virus software on their Mobile Device. Did creating the new/updated policy accomplish the awareness and accountability you need to prevent expensive consequences and liabilities?
Now think Social Media, Phishing Emails, Workplace Violence, At-Risk Individuals and numerous other mounting challenges where lack of awareness and accountability can lead to expensive consequences and liabilities. These are just a few examples of numerous well documented frustrations and incidents.
Lack of awareness at the individual level is most often due to ineffective status quo training approaches (annual training, blasting out email updates, posting policies on a shared drive or public web site, etc.) and a lack of measurability of individual level awareness and accountability. By lack of measurability, I mean most organizations are not equipped to measure an individual’s initial awareness, updated awareness, level of understanding and their accountability on a real-time and continuous basis.
If you can’t measure it, you can’t manage it! Mr. Peter Drucker made this clear a long time ago and it still holds true!
“Lack of awareness” is the weakest link and leading cause of expensive and embarrassing information breaches (think social engineering and phishing) and to make matters worse…the bad guys know it is your weakest link which is why they keep exploiting it! Hackers consistently gain access to organizations’ networks to steal personal, sensitive and medical information because they can find one or more unaware employees or vendors (which is what happened to Target) to open an attachment or click on an infected web link. The consequences can be very expensive, in fact the consequences cost thousands of times more than implementing a proven prevention platform that offers individual awareness and accountability tools that could have helped prevent the hackers from gaining access.
You have a choice…you can invest in a proven prevention platform or you can take a chance and risk paying for credit report services, ongoing support lines, fines, lawsuits, negative media headlines, loss of clients, stock value losses and numerous other costly consequences. All of the previously mentioned consequences are well documented incidents that occurred even though the organizations may have invested THOUSANDS or MILLIONS in technology solutions…which continue to be easily defeated by “lack of awareness and lack of accountability at the individual level”.
Over and over again, post-incident reports reveal individuals (employees, customers, vendors, service providers, students, etc.) are lacking awareness and accountability for policies, procedures, plans, strategies, situational awareness, the latest threats, acceptable usage, unacceptable usage, guidelines, standards, regulations (federal and state), incident reporting, concerning behaviors, safety, legal due diligence, roles, responsibilities, social media best practices, Internet risks, training and more!
Don’t get caught in the status quo trap that your policies, procedures and plans are good and everyone knows them, policies, procedures and plans are only part of the solution. Policies, procedures and plans (and trainings) are basically “RECIPES” – similar to the best chocolate cake ever recipe you might have in your recipe box or cookbook. Organizations typically create their own “recipes” (or copy recipe templates from others) to guide their individuals and their organization towards achieving the best results ever. Two big problems with “recipes”…the first is organizations typically hand out “recipes” once a year or post “recipes” online, but they do not have a good way to measure individual level awareness or accountability, so they have no idea what each individual knows or doesn’t know and where those individual “gaps and weak links are”. The second related problem is even if an individual has and understands the “recipe”, they may not be equipped with the right tools to “make the recipe or make the cake”!
To achieve the best results, all appropriate individuals (employees, vendors, customers, contractors, service providers, students, etc.) must:
• Be made aware of “recipes” and all updated “recipes”
• Understand exactly how to “make the recipe”
• Understand they are accountable for “making the recipe”
• Have access to all of the right ingredients
• Be equipped with the right tools so they can actually make the best results ever!
If you are still skeptical…perhaps you will trust IBM.
IBM Security Services 2014 Cyber Security Intelligence Index revealed ‘over 95 percent of all incidents investigated recognize “human error” as a contributing factor’ and most human errors are due to lack of awareness.
If you would like to learn how a proven proactive prevention platform is helping and equipping leading organizations to accomplish step 1 and improve individual level awareness and accountability, send your questions or a request for more information to firstname.lastname@example.org.
To continue to Part 3, click here.