Human Error

Written as a CISO to a CEO

Good evening, CEO Duvall,

BLUF: In this brief email, I will discuss how we can stay in budget while minimizing human error in our cybersecurity.

Risk

               The most important aspect we must consider before looking at our options is risk. We can’t waste money on phishing attack training when most of our employees are Gen Z and don’t trust links anyway. One of the risks I’ve noticed is that we’ve weak passwords and misconfigured software.

               With these risks identified, we can focus our budget and energy on ways to mitigate them.

Technological options

               A simple solution for weak passwords is an investment in multi-factor authentication for employees. One main issue with passwords is remembering them, which leads employees to choose easy-to-remember passwords; however, the downside of this is that those passwords are easy to crack.                This allows employees to use their preferred password, which makes it easier for them and minimizes the risk of a cyberattack.

               A solution for addressing misconfigurations is to invest in an automated configuration management process. This removes some of the workload from employees, which minimizes mistakes, and it can increase efficiency within configurations. Another solution could be to implement strong access controls for select employees. This minimizes rookie mistakes, and it is also easier to know who is responsible for any mishaps. Both of these solutions can streamline our configuration process, making it more cost-effective while being efficient.

Training options

               One aspect of training that can be implemented is classes on creating an effective password and utilizing multifactor authentication. This is more of a one-time-only type of training unless we update our multifactor authentication system. This is also a very simple and quick training session, so it shouldn’t consume too much of our budget.

               Another aspect of training is regular configuration training for authorized employees. Since only a select few of our staff members will have access to configurations, it will not significantly impact on our budget to train those specific employees on a quarterly basis.  Having limited access to configurations is not only a security measure but also a budget-friendly approach.

Conclusion

               As our business evolves and changes, these methods will evolve accordingly. It is always essential to understand what is at risk before investing money in unproductive ventures. Conducting risk assessments is part of my job, so it will not incur any additional costs. If any other concerns arise, I will find a solution to address them.