With limited IT budgets and increasingly-stringent regulations governing data breaches and the processing of personal information, the decision of how to best implement a cyber defense strategy is a difficult one. Most cyber defense products fall into one of two categories: user security awareness training or cyber security software. In this post, we explore some of the advantages and disadvantages of each approach to a cyber defense strategy and provide some suggestions on how to build effective defenses for your organization.
The Case for Training
According to RSA’s Quarterly Fraud Report from Q1 of 2018, 48% of observed cyber attacks were phishing emails, while other sources estimate that 95% of successful cyber attacks start as a phishing campaign. This success rate is unsurprising when you consider that 30% of users will open a phishing email, and that 11% will click on a malicious link or open a malicious attachment. Defensive software can be of limited use against phishing emails, since the emails take advantage of human psychology to achieve the attacker’s goals and may be virtually indistinguishable from legitimate messages.
Phishing emails are only the tip of the iceberg when it comes to threats arising from end users. As acting in a security-conscious manner usually requires extra time and effort, security and usability are often seen as being in conflict. It is also not uncommon for malware authors to bundle malicious code within other software and offer it free or at a steep discount to induce people to use it. Antivirus programs slow down computers, while proper password hygiene requires users to maintain different strong passwords for each account. Untrained users, who can disable or bypass many of the technological defenses, can be an organization’s greatest cybersecurity weakness.
Cybersecurity awareness training is vital because it strengthens what is commonly considered the weakest link in most organizations’ cybersecurity strategies. Training users to identify potential threats and appropriately respond to them increases organizational security, and both motivates and empowers users to help protect sensitive information.
The Case for Software
The cybersecurity landscape is rapidly evolving as new vulnerabilities are discovered and new tools and techniques are developed. The continuous evolution of cybersecurity makes it essential for defenders to develop solutions to protect against new threats.
Traditionally, antiviruses and other cyber defense software use signatures to identify and block known malicious code from entering the network perimeter. However, this approach is of limited effectiveness since it requires malware to be identified and a signature developed before the software is able to detect the malware. With hundreds of thousands of new malware samples being identified every day, it is becoming increasingly difficult to identify and develop signatures for malware within a reasonable period of time.
Malware detection software has recently begun using anomaly detection to identify malware entering the protected network. By developing a sense of what is “normal” for a network, its computers, and the data moving into and out of it, these systems can identify potential threats entering the network by recognizing that fact that they are unusual. Hybrid systems using signature detection and anomaly detection are able to both positively identify known threats and identify new threats within a high degree of probability, providing an organization with a higher level of protection than pure signature-based software.
The goal of cyber defense software is to automate as much of an organization’s cyber defense strategy as is possible. Currently, over 350,000 cybersecurity jobs are unfilled and the shortfall is expected to increase to 3.5 million by 2021, meaning that there are simply not enough trained analysts to go around. Investing in tools that automate as much of the cyber defense workload as possible can act as a force multiplier for the available human talent. Deployment of focused solutions can help target specific goals, like the use of data loss prevention (DLP) software to reduce the chance of a data breach and the risk of associated regulatory impacts. Carefully-selected and correctly-configured software can have a significant positive impact on an organization’s cybersecurity.
A Cohesive Cyber Defense Strategy
The best choice for a cyber defense strategy is not an either-or between training and software, but a both-and. To be effective against the wide variety of cyber threats that an organization may face, the organization needs both educated users who are trained to recognize human-focused attacks and software that can identify new malware attacks and remember old ones.
Humans and computers have complementary strengths. For example, humans are intuitive, but have poor memories and are unlikely to remember every facet of company policy and training information. Computers, on the other hand, have excellent recall but no intuition. In the face of a phishing email, a synergistic relationship between user and software will manifest in software that presents the potential threats in an email and the relevant corporate policy in a warning banner, letting the user make the decision on whether the email is malicious or not based on this information. By presenting warning information, the software places the user in a defensive mindset and provides the user with the information necessary to make an informed decision about the potential threat.
The decision of which cybersecurity training and tools to invest in should be made from a risk-management perspective. The cybersecurity world is constantly evolving, and it is impossible to provide complete protection against any threat than an organization may face. A careful analysis of the impact, probability and cost of potential cybersecurity threats can help network defenders put a price tag on each potential threat and scale their investment in different cybersecurity solutions to match the potential impact. Overinvestment in one aspect of cybersecurity could leave an organization vulnerable to attack in another, so investment decisions should never take an either-or stance with regard to security awareness training and software.