• United States




Cybersecurity is only as strong as your weakest link—your employees

Jul 14, 20164 mins
Internet SecurityIT LeadershipIT Skills

Stay on top of account management and assess staff security skills with CIS Controls 16 and 17

You can have the most secure system in the world, but hackers will always seek out the path of least resistance. When your defenses are good, the weak link is often your employees. Data breaches are most likely to be the result of employee error or an inside job, according to the ACC Foundation: State of Cybersecurity Report.

It’s good to focus on firewalls, malware defenses and data protection, but too often employees are an afterthought.

+ Also on Network World: 3 ways to protect data and control access to it +

To help you with that, we’re going to look at Critical Security Controls 16 and 17, covering account management and security skills assessment and training. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS) and designed to help the public and private sectors tighten up cybersecurity.

Critical Control 16: Account Monitoring and Control

Inactive user accounts are ripe for exploitation by attackers. By using legitimate, but inactive accounts, they can easily impersonate legitimate users and mask their nefarious activity.

There’s also serious potential risk involved when accounts associated with former employees or temporary contractors are not deleted when employment ends. They may be left with unauthorized access to sensitive data, which is especially dangerous if the split wasn’t amicable. Some unscrupulous former employees may see an opportunity to profit.

There are a few simple rules you can put in place to ensure inactive accounts aren’t a potential route in for attackers or a potential route out for sensitive data.

  • Account access should be revoked immediately when an employee or contractor is terminated or leaves for any reason. You may prefer to disable access rather than delete accounts.
  • Accounts should be monitored and flagged if they don’t have an associated business process and owner.
  • Automatically log off users after a period of inactivity and use screen locks to guard against access via unattended computers.
  • Be vigilant for failed log-ins and attempts to access deactivated accounts.
  • Profile user behavior so that log-ins at odd times of the day or night, or log-ins from new devices, are flagged.

You’ll also want to enforce multi-factor authentication wherever possible, ensure that passwords and usernames are fully encrypted, and configure and authenticate centrally.

Careful account monitoring is especially important at large organizations where breaches are more than twice as likely, according to that same ACC Foundation report.

Critical Control 17: Security Skills Assessment and Appropriate Training to Fill Gaps

It’s easy to focus in on the technology you need to employ to bolster your cybersecurity defenses and forget that people can neatly sidestep all your efforts by taking the wrong action. Perhaps your IT staffers aren’t quick enough to patch or review logs, maybe your security policies are not enforced in any meaningful way, or your employees don’t know better than to click on a malicious link in a phishing email.

Attackers will go to great lengths to exploit any weaknesses or gaps here, and in many cases they can persuade people to effectively lower the defenses and let them in.

The first thing to do here is to perform gap analysis and find where employees lack the skills required to implement your cybersecurity plans and policies. You have to know where they are going wrong before you can hope to fix it.

Provide relevant training via senior staff with the right skills, outside experts, or even conferences and online courses. Make learning modules bite-sized and easy to understand. They must be updated to reflect the latest threats, and employees should complete them every few months. No one should be immune from this. Senior management may be resistant, but they actually pose the greatest risk if a phishing attack is successful, so they should complete the same training.

It’s all well and good to run training courses, but you have to test their effectiveness before you can rest easy.

As a case in point, JPMorgan boosted its cybersecurity spending after a data theft, but when it tested staff with a fake phishing email a few weeks later, 20 percent of them clicked on it.  Had it been real, that action would have downloaded a malicious payload onto the bank’s network.

If you don’t spend resources on awareness for employees and specific training where necessary, you can undo all your good efforts to improve your cybersecurity.


The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author