EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Discover how EY's identify and access management (IAM) team can help your organization manage digital identities for people, systems, services and users.
Read more
First line of defense: Employees
It is imperative that companies focus on building and sustaining a culture of cybersecurity and cultivate it in the workplace for effective cyber risk management. This would entail moving beyond the typical strategy used in which most businesses simply allocate a certain portion of their IT budgets or revenue to security without considering their actual needs. The approach must include helping employees realize that the risk is real and that their actions can have an impact on increasing or reducing that risk. Companies’ cybersecurity blanket must also include third-parties and others on their IT architecture.
Effective cybersecurity necessitates a persistent effort that covers employee behavior, third-party risks, and numerous other potential vulnerabilities in addition to application security, penetration testing, and incident management.
Enterprises spend millions of dollars on hardware and software but may neglect the simple act of properly training their employees on security practices. Teaching employees to recognize threats, curb poor cyber behavior, and follow basic security habits can provide the best return on investment. However, the benefits can be difficult to measure and therefore justify the expense. Trying to quantify the return on investment in employee training and building a culture of security can be difficult to sell to upper management. In many cases, management may not believe that just training their employees can reduce their exposure to cyber losses.
An example of cyber-attack using the employee route is phishing emails. In fact, 90% of data breaches start with a phishing email, according to a threat trend report by an IT major. Yet most employees believe they would know how to recognize a phishing email and would not act to the request in the email. However, at least one person clicked on a phishing link in around 86% organizations, finds the threat trends report mentioned earlier. With nine out of 10 ransomware infections coming from some form of phishing event, investing in employee training about phishing emails and other methods can reduce risk significantly.
We need to understand that in any system, humans are the strongest asset but can also be the weakest link. Security culture is primarily for the humans, not for the computers. Hence, it is important to instil the concept that security belongs to everyone by creating programs that cater to region, department, and role so that people understand that security is part of the organization’s culture.