In the article “The Impact of Human Behavior on Security ” by Jeff Capone (2018), the author makes several points of why humans should not be in charge of cybersecurity. Capone states “When it comes to effective data security, the most successful solutions are transparent. They work in the background and provide automated, non-disruptive protection of assets” (Capone, 2018). I think this sentiment is best described in the use of automation and full file encryption. File encryption for all systems and files would likely not cost anything as it is included as an option for most operating systems. Though the most secure method would be hardware encryption but this would add considerable costs. Another example of this would be implementing a VPN connection for the company or office and applying encryption to the network data. Since there is likely already a server in use, setting up a VPN would be an easy task and allow for network encryption. This could possibly make logging and auditing the network traffic more efficient as well. For automation, software such as antivirus would exist on each device and could be scheduled to run at times that would help stop people from making mistakes. I would have the antivirus configured to scan detachable devices before they can be used. I would configure the scanning of emails and attachments to prevent unwanted phishing attempts. I would also implement firewall rules at the server level to block unwanted access to the internet by keeping a whitelist or blacklist of domains and hosts to allow or deny. I believe this creates a good balance and minimizes the human input to maintain the network. While obviously still using least privilege when granting users access to system resources, I would create strict password requirements for the user accounts.
These actions would require the users to be trained on very few aspects of the network. The main focus of training would be password security. Since this type of system would rely on a single log on with the accounts being stored in the server, users would need to be trained on proper creation and handling of their passwords. The VPN connection and all antivirus actions could be configured by automation. Concerning the budget, the main costs would be for the antivirus software and for the initial setup of the firewall and server by a professional. Managers could be trained to audit activity and create or maintain accounts without having full administrative access to the systems or server.
References
Capone, Jeff (2018). The impact of human behavior on security. https://www.csoonline.com/article/3275930/the-impact-of-human-behavior-on-security.html