Anyone who has read ISO 27001 will be familiar with the three pillars of information security: people, procedures, and technology.
Because they are the easiest to implement, the latter two tend to get the most attention from managers. All you have to do is choose an acceptable solution (such as anti-malware software or a Cloud services provider), purchase it, and configure it.
People, on the other hand, are complicated. Off-the-shelf staff awareness training solutions can assist educate employees on a variety of hazards, but organisations must maintain continual attention to ensure that everyone follows the established guidelines.
Organizations frequently fail to accomplish this, and as a result, human error is one of the leading causes of data breaches.
The threat environment
You may wonder why, if employees play such an important role in information security, organisations ignore the ‘people’ side.
One explanation is the way businesses interpret the dangerous landscape. When examining the potential causes of breaches, it’s tempting to dismiss human mistake as just one vulnerability among a slew of other cybercrime threats such as system flaws, malware, denial of service, ransomware, and so on.
Those numerous threats appear to be ones that technology is best suited to combat. As a result, organisations’ main priority is frequently to invest in anti-malware solutions and vulnerability scans.
Employees, in fact, play a critical role in guarding against many of these dangers.
Consider ransomware: it’s one of the most serious cyber security dangers that businesses face, yet it’s not as simple as thieves exploiting IT holes to plant their viruses.
The majority of ransomware is distributed as attachments in phishing emails.
Organizations cannot rely on spam filters to prevent these attacks because cyber thieves are continuously devising new ways to get around them. Instead, they must teach staff how to identify phishing emails and remind them of these skills on a regular basis.