People are the weakest link in cybersecurity. The largest security gaps in many organizations are in management and culture, which are products of human communication, not technology.
According to the PwC's Global State of Information Security Survey 2016, only 53 percent of respondents reported that they have security awareness education programs for employees.
We suggest that companies continue to evolve their security strategies to stay prepared for ever-growing risks in cybersecurity. This should include implementing a robust control cycle to continuously identify new insider threats and improve security controls.
It will also be important to integrate cybersecurity into plans for new technologies such as the Internet of Things, while reviewing possible gaps in the latest Internet laws and regulations, in addition to aligning security strategies with key areas of concern.
But technology and security controls alone are not enough to boost cybersecurity. Smart organizations have always known that the human side of the security equation is essential.
Businesses are expanding the roles of key executives and boards of directors to allow for enhanced communications regarding cyberthreats and to help build more prepared and more resilient cybersecurity capabilities. They are also implementing awareness programs to help educate employees and executives about cybersecurity fundamentals and human vulnerabilities, like spear phishing, which remains a successful attack technique.
It is not uncommon for hackers to use social engineering techniques in obtaining confidential information by manipulating legitimate employees of an organization into revealing sensitive information or getting them to do something that is against the company's policies.
Therefore, establishing security awareness within an organization is essential in maintaining a high level of security alertness in order to minimize security threats.
There is no factor more influential than senior management setting the tone that cybersecurity is important and that individuals-including senior and middle management-will be held accountable for their actions. Senior management must develop an appreciation for the capabilities and limitations of information security. If senior management does not believe in it, why should anyone else follow it?
Although setting the tone will not repel a single external or internal attack, the controls that can safeguard an organization are made dramatically more effective with senior management's support.
With that support, the countless activities an organization must perform take on purpose and direction and add to an organization's strength. Lack of top management support invites weakness-even against weaker threats.
The key for an organization to gain awareness is communicating with the entire organization regarding the threats that exist and the countermeasures that are available. Cybersecurity places a heavy emphasis on the judgment of individuals at all levels-particularly middle management.
The author is a cybersecurity service partner at PwC China.
