The proliferation of devices in the Internet of Things creates more entry points that are vulnerable to cyberattack. When evaluating cyber risk, however, it’s important to understand the risk stemming from people and behaviors, not just technology.


In “Cybersecurity: Building an arsenal to defend against invisible enemies,” which recently ran on IHS Quarterly, Thomas Lynch, Dennis Murphy and Christoforos Papachristou from IHS wrote that “cyberattacks are increasingly sophisticated as their destructive incursions seek new ways to breach security and inflict damage.” This is a particular challenge for the Internet of things (IoT) because, in the coming years, billions of new devices will be fitted with computer chips that enable interconnectivity with the internet. Some experts estimate there will be nearly 50 billion connected devices by 2020, the authors report.


The underlying problem is that the interconnected nature of such a massive system significantly raises cybersecurity risk factors. IoT devices are designed for connectivity and not security, which makes them vulnerable to malware attacks. Essentially, each device is a potential portal through which a cyberattack can gain entry, and then proliferate throughout the chain, according to the authors.


On the other hand, it can be argued that the weakest link in a cybersecurity chain actually is the employees and a lack of awareness of cyber risk. Brian Contos, CISSP, VP Threat Intelligence & Security Strategy, explains in a recent CSO article that employees—including executive leadership and management—must be actively involved in an organization’s cybersecurity apparatus, because they will likely have access to many of the business’s computers, systems and networks, and often will serve as the first line of defense in their protection. Executives are targets for their potential access to sensitive information, while frontline workers are targets for attackers to gain access into the network and elevate privileges so they can move laterally to find such information. Both types of employees represent access roads to the same destination, he writes.


It follows then, that security training is best approached collectively. It’s common for an organization to require employees to undergo annual user awareness training. However, such training is often viewed as a compulsory necessity rather than an opportunity to inform and educate. Frequent interactive training will better prepare employees for the current threat trends, highlighting the tactics, techniques and procedures used by hostile actors to gain unauthorized access into targeted systems, Contos writes on CSO.


It’s also vital for this type of training to include all employees—including executives—in the same room so they can share their experiences and educate each other about the types of threats they’ve personally experienced, Contos writes. This type of transparent dialogue connects the workforce as a unifying whole and provides insights into where there are strengths and weaknesses in security awareness, he explains.


One down fall to avoid, is that accountability and responsibility are sometimes seen as burdens that punish employees or risk impeding business operations for the sake of compliance. Instead, Contos explains that accountability and responsibility must be communicated as opportunities to strengthen an organization’s commitment to protecting information and accesses that support the goals of the business. After all, a savvy and alert employee can proactively prevent a cyberattack simply by not clicking on a malware-embedded link in an e-mail, he writes.


Do you agree employees and their behaviors are a greater risk than device vulnerability? Secondly, do all employees, including executives, receive the same training?