GIBC Digital is in a position to help organizations prevent cyber breaches by strengthening cyber security, said Thomas Hernandez, GIBC Director of Global Cyber Security Practice based in New York City.
In an interview with this daily at GIBC’s office in the Jasmine Corporate Centre, recently, Hernandez added that there are three pillars in cyber security.
“These are things affecting people, processes and technology,” he revealed.
Hernandez explained that at a base level of an organization there should be training and development regarding things that affect people, processing and technology to identify cyber risks and align it with business risks.
“Those are things that organizations should be mindful of as we evolve faster and as the landscape as a whole, changes,” he said.
Hernandez suggested that employers focus on training and development of their employees from an annual compliance perspective and use awareness perspective.
“Lack of user awareness and lack of training and development is the number one risk in cyber security. Also, it is the most underfunded aspect of cyber security with organizations across the board being underfunded in terms of their training and development,” he said.
He noted that 63 percent of data breaches are a result of lack of user awareness and lack of training. “It is a growing problem and a growing concern.”
To combat this, organizations must identify training requirements, compliance requirements for training and to do an assessment across the board as to how they need to close the gaps.
He noted that GIBC can help to develop training programmes, annual compliance programmes to certify employees as to regulatory guidance and for transparency concerns.
Hernandez expressed that an organization can have all the technology in the world, but if they do not have a properly trained workforce to identify to know what ‘right looks like’ is important.
“We call that the human firewall,” he said.
He explained that something as simple as a fishing exploit, where an apparently legitimate email that has “Please Click Here” which an employee clicks, is able to run a script with malicious activity on it and then that computer becomes the criminal’s computer, because they are now logged into the organization’s network.
“Or something like a ransom attack where an employee clicks a hyperlink, they download an attachment that they weren’t supposed to, they visit a website that they weren’t supposed to, they run script that’s malicious in the background that they won’t see and all those things that through training and development, those employees would know how to spot those things and how to prevent those things from ever penetrating the network,” he said.
Hernandez informed that there are also targeted campaigns called whaling or spearfishing that target executives within companies.
“For example, hey can you please finalize this purchase agreement for me and maybe a cross reference of the executive leadership and they craft an email to appear from that executive that an employee wanting to do what they’re told, is doing what they they’re told and providing financial details to someone from a malicious email address,” he said.
He added that GIBC Digital develops training programs and content to help employees learn what those vulnerabilities look like so that organizations can have a smarter and more aware workforce.
Hernandez furthered that is it important for organizations to have a proactive and not reactive posture regarding cyber security.
“If you’re reacting to things as they happen, you’re already too late and if you’re reacting to things and you don’t have defined processes, policies, implementation and proper planning you’re already behind the curve. Because if you’re not then your more mature competitors will,” he said.
Overall preventive, deceptive and proactive security helps. According to him compliance or auditing does not equal security.
“Compliance activities and auditing activities are just mechanisms that drive the organization to do the right thing to begin with. So, at the root of it if you’re doing the right thing as far as preventative, deceptive and proactive organization across things affecting people, processes and technology then your audit compliance training activities will all come as a result and will be more mature and not as less defined,” he said.