By Adam R Cravedi
Compass IT security auditors are often asked if there is a single “most important” factor involved in safeguarding a business’s data assets.
To be sure, trade magazines and “tech-channels” are often promoting the latest IT security cure-all. But, while these solutions can go a long way toward hardening system networks, many require dedicated IT staff (and maybe even a few IT All-stars) just for configuration and maintenance.
So where does that leave small and medium-sized businesses that are subject to the same threats as Fortune 500 companies, but lack the resources to employ a 100-man strong IT army?
For these companies, defending against cyber-attack demands an optimal use of resources, and few solutions, technical or otherwise, is more cost-effective than a well-trained and prepared employee.
After all, research shows time and again that the weakest link in network systems is almost invariably their propensity for human error. This is especially so in a high-speed information-driven environment, where email and Internet traffic account for the majority of demands on IT infrastructure.
Indeed, most hackers today work to exploit these channels—by crafting realistic email messages or compromising a favorite website, they entice users to click on links that covertly install viruses, worms, back-door Trojans, key-loggers, and other malicious code. Why spend hours, days or even weeks attempting to bust a company’s perimeter defenses, when a simple email could yield the keys to the kingdom?
And once malware is on the inside, all bets are off.
Countering this kind of attack requires its targets—network users—are aware that threats are out there and that they have the knowledge to recognize (or at least suspect) when the enemy might be at the gate.
Thus, regular security awareness training about emerging threats and ploys is essential.
Of course, a robust IT security curriculum is only one component in any comprehensive information security program. And all organizations must deploy a range of perimeter defenses, including firewalls; current and updated antivirus/anti-malware software on all computer systems; appropriate user access controls; and up-to-date hardware and software systems, to name only a few.
In a world characterized by a proliferation of cyber threats, where a single breach can lead to proprietary information being sold to the highest bidder on the black market, and irreparable harm to your organization’s reputation, advance preparedness training may be the closest thing to a silver bullet our industry has.
About Adam Cravedi, CISA, CISSP
Adam Cravedi is an original member of Compass IT Compliance, LLC. He brings over 21 years of experience in the Information Technology arena including Financial, Higher Education and Healthcare industries to the Compass team. He holds a Masters of Science in Management Operations and Information Technology and a Bachelors of Science in Electrical Engineering both from Worcester Polytechnic Institute. As well as achieving GIAC certification for Web App Penetration Testing & Ethical Hacking (GWAPT).
As a Senior IT Auditor for Lighthouse, he headed up the PCI ASV scanning and Internal/External Vulnerability and Penetration testing functions. He also contributed to PCI, IT and Information risk and security audits. His work includes the role of Information Security Officer where he developed an in-depth Information Security Program that included Information Security Awareness Training as a baseline for information security for the organization and their employees.