Organizations consistently struggle with the need to maintain Cybersecurity. As posted in an article by TechRepublic: Top 5 cybersecurity challenges for CISOs.

According to Fortinet's recent The CISO and Cybersecurity: A Report on Current Priorities and Challenges.

"CISOs can no longer afford to simply be technologists, but rather must become drivers of business strategy," the report stated. "They must move beyond compliance checkboxes to a broad approach based on an organization's overall risk management strategy. And they must move beyond a 'band-aid' approach to covering the attack surface to a holistic, proactive stance toward threat response."

Top CISO challenges

CISOs named the following as the top industry challenges that are leading them to improve or change their security posture, according to Fortinet:

• Hackers/attackers (pre-intrusion) (47%)

• Strategy (33%)

• Data loss and privacy (28%)

• Cost reduction/avoidance (13%)

• Risk management (13%)

Since there are many different aspects to the overall Cybersecurity for the organization, we consider the defense in depth begins with your workforce. Two things that can help your workforce: Cybersecurity Training and MFA (multi-factor authentication)

A recent paper from Cornell University identifies that proper security training in a workforce is suffering from a lack of engagement or appropriate materials and information. This is usually through not understanding the workforce or equating the cautionary information to their role in the organization. The use of cookie-cutter presentations and generic presentations results in training that may provide a checkbox for compliance but provides little in the way of assurance of behavioral changes.

Personalized Training

Alarmingly, in most organizations, the same training is presented to all workforce members regardless of their function or role. This allows for workforce members to believe certain aspects of the training may not pertain to them and mentally “check-out” for large segments of the information being presented. For example, most information security training speak to the need to ensure unauthorized devices are not plugged into organizational assets, which is a valid concern. However, the training often does not identify what constitutes “unauthorized devices”, nor does the training determine how a user can prevent this from happening.

What Can You Do?

With different types of insider threats, while not intentionally malicious, identify how proper training can mitigate the risk to your network. While generalized online training will always be a necessity, include role-based items such as the below that speaks to your workforce, not merely at them:

• Use common reasons such as downloading pictures, playing music, or charging their device

• Identify how activities performed in their personal life with the BYOD item may compromise organizational security

• Use real-world examples to reinforce information security need instead of purely hypothetical questions

• Include interactivity into presentations

• Provide incentives to reinforce behaviors that equate to topics presented

• Ultimately, there is no way to prevent insider threats 100%. However, by more properly understanding workforce education, training will not simply be a compliance item but rather an assurance process

The second most important tool in your Cybersecurity protection is MFA (multi-factor authentication). If you’ve been prompted with a push notification on your phone after you’ve tried logging into a different application, you’ve experienced it. MFA requires users to provide an additional factor to verify their identity aside from entering a password — such as a code generated by a hardware token, a one-time email password (OTP), or a biometric identifier (like Apple’s Touch ID).

Eight reasons to support the use of multi-factor authentication

• Identity theft is an easy, low-risk, high-reward type of crime and a threat to all businesses. It is the fastest-growing type of crime and is now more profitable than drug-related crimes.

• Weak or stolen user credentials are hackers' weapon of choice, used in 95 percent of all Web application attacks.

• The number of sensitive consumer records exposed increased by 126% year-over-year. The malicious actors are winning the war.

• Headlines tend to belong to the household-name companies, but they are not the only companies being targeted. Of all targeted attacks, 31 percent are aimed at businesses with fewer than 250 employees.

• Anti-virus systems and advanced firewalls are necessary security elements, as are vulnerability tests. Without user authentication, though, the front door is wide open to intruders.

• Password theft is constantly evolving as hackers employ methods like keylogging, phishing, and pharming.

• Cybercriminals do more than merely steal data. Often, they destroy data, change programs or services, or use servers to transmit propaganda, spam, or malicious code.

• Employees are already accustomed to authenticating themselves in their personal lives, as providers of online services like home banking, gaming, social media, and email have all adopted mobile-based tools to effectively authenticate their users when accessing their systems.