Managing human risk is an essential aspect of any cyberrisk management program. 在这个网络威胁的时代, organizations must increase and prioritize their efforts to protect themselves from cyberattacks. While most organizations focus on leveraging the latest technology to enforce their security measures, a comprehensive information security awareness program must be in place to ensure that employees are aware of and educated about the threats they may encounter at the workplace. 根据2023年的一份报告, 74%的违规行为与人类有关, 无论是恶意还是过失, 让人成为网络入侵的最主要原因.1 While this is 8 percent lower than in 2022, humans still pose a high risk to an organization’s data. 因此, organizations must treat human risk in the same manner as any other identified risk, by developing a mitigation plan to reduce risk to an acceptable level based on the organization’s risk tolerance.
进行风险评估
The first step in managing human risk is to conduct a risk assessment to identify the risk factors most critical to the organization. 听起来很熟悉? 要想成功, a risk analyst must assess the likelihood of a vulnerability being exploited and the impact that would occur because of the event. 找到这些威胁来源, the security operations team should be engaged to uncover documentation regarding cyberincidents, 过去审计的威胁情报和缓解计划. The security operations team also tests users on the likelihood of penetration, 例如, 通过网络钓鱼模拟练习. 一旦评估员有了这些信息, 他们可以建立一个风险登记册,优先考虑最高的风险因素.
Any educator knows that it is not possible to teach someone everything that they need to know and expect them to retain all the information. 在进行风险评估之后, 关键风险可以通过意识和教育来定位和减轻. 例如, employees in an organization should be made aware of the risk associated with phishing attacks or identity theft efforts that engage employees through attack vectors such as emails, texts or phone calls They should be taught how to identify suspicious emails and links and to not disclose sensitive information in an email or over the phone. But making an employee aware of a threat is only the first step in protecting them and their organization.
Conducting a cybersecurity awareness program should not be treated as a one-time event. Annual compliance training is not enough to continually reinforce the practices needed for good cyberhygiene. Employees need actionable items to understand how to respond when faced with a threat. 澳门赌场官方下载s should consider how they can go beyond an awareness program to achieve a preparedness program. 例如, organizations can conduct quarterly or biannual training refreshers and provide cybersecurity learning opportunities in the forms of webinars or elearning modules.
Repeated risk assessments show how certain critical risk factors have been mitigated to an acceptable level, 而其他国家的重要性有所上升, 基于新的威胁. The long-term mitigation of human security risk transforms the security culture of the organization.
培育保安文化
Mitigation plans for reducing human risk should also focus on fostering a security culture within the organization. It is essential to emphasize that cybersecurity is not the job of only the IT department or the cybersecurity team, 而是, it is the responsibility of every individual to work toward keeping the organization secure. 文化变革需要持续的努力,需要时间才能看到结果.
创造安全的文化, it is important to encourage employees to speak out when they see risky cyberactivity and commend them for asking questions when in doubt. The organization can also acknowledge individuals who implement secure practices and create a rewards system to incentivize good security behavior.
It is important to encourage employees to speak out when they see risky cyberactivity and commend them for asking questions when in doubt.
检查员工行为
管理人类风险的另一个关键方面是跟踪员工活动. 而培养与员工之间的信任是至关重要的, it is also necessary to have measures in place to detect mistakes or malicious employee behavior. Employee monitoring software can track this behavior and alert the IT team to suspicious or risky activity, 例如数据泄漏. Periodic IT assessments or audits of employee activity help identify potential security gaps or weak points. 就像对待其他类型的风险一样,这些风险应该被积极地处理.
投资时间、才能和财富
An information security preparedness program needs time, talent and treasure to be successful. Dedicated resources require time to develop, execute and sustain the program long-term. 人才要求包括那些懂得风险的人, 能否与组织的不同层次进行有效的沟通, and can develop material both relevant to the risk identified and to the enterprise’s mission and goals. 最后,一个好的项目离不开资金. 而一些伟大的和多样化的材料是免费的, 针对关键风险的综合项目需要预算. Understanding the most significant human risk factors can help develop a compelling business case that outlines the need for, 和福利, 的资金.
结论
If an organization makes risk-based business decisions, it cannot discount human risk. 人类是主要的攻击媒介. 应适当使用技术来识别, 检测和预防安全事件, but training the people being preyed upon is perhaps the best defense against cyberevents. 通过进行风险评估, 建立积极的安全文化, 了解员工的活动,妥善管理资源, organizations can reduce the human risk factor and keep sensitive information secure.
尾注
1 Verizon, 2023年数据泄露调查报告2023年,美国
编者按
Hear more about what the author has to say on this topic by listening to the “管理人类风险需要的不仅仅是意识培训ISACA的一集® 播客.
克里斯Madeksho, CISA, CRISC, SSAP
网络安全分析师是否具备治理能力, 田纳西大学(孟菲斯)的风险与合规(GRC)团队, 田纳西州, 美国)健康科学中心. She works in the areas of risk management, policy management, and security awareness and outreach. Her career has spanned the travel, pharmaceutical and higher education industries.