At #teissLondon2018 Vijay Rathour, Partner with the Digital and Forensic Technologies Group at Grant Thornton, will be making his case for why training is a waste of money.
Yes, that’s right.
In a controversial head to head, Rathour will question why anyone is prepared to rest the entirety of their cyber security on the shoulders of the least trained person in the workplace.
Rathour alludes to the recent Hawaii ballistic missile incident and states, “We have to respect that human users are the ultimate beneficiaries of all of the technology we’ve got, so we need to account for the fact that they are potentially a risk factor in this ecosystem. Of course we need to train them but fundamentally why is there not a systemic security safeguard that prevented that from happening?”
Human training: just a pretty bow on the box
“Human training is essential but there must be systemic safeguards behind that to prevent that ballistic warning going out unchecked,” he adds.
Rathour thinks it’s easy to blame the humans. “From my perception if you’re going to have multi-million dollar fines and a fallout as a result of customer confidence, surely it’s in your interest to have appropriate technical safeguards to prevent the risk of a cyber-attack, data breach and data loss. So your human training is frankly just a pretty bow on the box. You’ve got to have all that infrastructural security around that.”
Studies show, according to Rathour, that online security awareness training given to staff only improves day-to-day online hygiene by 2%. If so, is that really the best place to spend your money?
Investing in cyber security: what businesses should consider
“Understand your risk factors, what type of business you are in and the severity of the risks to you subjectively. Then you can distribute your money proportionately to address the risks that may face you as a business,” advises Rathour.
He adds: “From the perspective of the ICO (Information Commissioner's Office), regulators, or customers – when this is all splashed over Twitter – if you can say we invested in the best security we could afford proportionately, nobody can deny that you’ve done what was appropriate.”
Spend what is proportionate for your particular risks
Rathour says: “Something is better than nothing at all. In light of the GDPR fines, if you spend nothing there will be egregious pain from the ICO, but if you’ve spent something - you’ve demonstrated you’re on a journey. Of course attacks can still happen, but if you prevent 90% of your attacks – you’re getting fairly good bang for buck.”
Understand what your risks are – specifically in your business
Understand that perfect security is nigh impossible to achieve