Cyber & IT Supervisory Forum - November 2023

changes have been made to exis Ɵ ng systems to improve performance and increase resistance to security threats since the incident? Could any technical control have prevented the threat actor from compromising systems (i.e., mul Ɵ‐ factor authen Ɵ ca Ɵ on, data encryp Ɵ on, etc.)? d. Employee Training and Awareness: One of the most common a Ʃ ack vectors u Ɵ lized during a Ʃ acks involves compromise of the human element. Humans are o Ō en distracted, and threat actors are prone to exploi Ɵ ng human nature. Curiosity o Ō en drives us to click on links or open a Ʃ achments. As a result, we o Ō en open the door for threat actors to walk right into our networks and systems, and a Ʃ acks are o Ō en successful despite the technical controls we put in place to prevent them. Following an a Ʃ ack, follow ‐ up refresher training is o Ō en necessary and prudent. For example, if the incident was the result of an employee entering O ffi ce 365 creden Ɵ als when prompted to open an email (as in this instance), then addi Ɵ onal training on spo ƫ ng and repor Ɵ ng suspicious emails would be warranted ‐ and perhaps not just for the individual responsible for the incident. Training is one of the most important founda Ɵ onal security controls that an en Ɵ ty can implement. In general (outside of post ‐ event training), training programs should be comprehensive, re fl ec Ɵ ve of the threats most likely to be seen within the organiza Ɵ on, and conducted at an appropriate frequency. Training should include EVERYONE, from the CEO down to the recep Ɵ onist in the lobby. Anyone who has access to company networks and systems should be included, and a mechanism should be in place to ensure compliance and follow ‐ up with organiza Ɵ onal training requirements. Training is o Ō en considered by many organiza Ɵ ons to be a “once a year” type of ac Ɵ vity. And this might be en Ɵ rely appropriate for some organiza Ɵ ons. But for training to be e ff ec Ɵ ve and address the needs of a par Ɵ cular organiza Ɵ on, it may be prudent for that organiza Ɵ on to consider training on a more frequent cadence (i.e., organiza Ɵ ons that have experienced an a Ʃ ack caused by human error, organiza Ɵ ons that have a lot of individuals who “fail” phishing exercises, etc.). Again, the frequency and type of training o ff ered will be largely dictated by the needs of the organiza Ɵ on, but the nature and frequency of training should be something we look at during an examina Ɵ on, par Ɵ cularly in the a Ō ermath of an incident.

24