My staff is going to write a post-breach reaction plan. Is there anything else that I need?
According to the 2022 Data Breach Investigation Report from Verizon, 82 percent of breaches involve a "human element". https://www.verizon.com/business/resources/reports/dbir/
So, if you cut the human mistakes, you cut your cyber risk, dramatically.
Minimizing human negligence requires changing human behavior. In a modern society, changing behavior requires training and training requires repetition until the brain is conditioned to recognize a threat, like a phishing email or understanding that leaving your laptop in the backseat of your car is not safe.
Part of being human is making mistakes so post-breach plans are great…I am all for them. Pre-breach training is even better because your goal is to never have to use that post-breach plan.
Think of cybersecurity like you would addressing a risk of fire in your home. Planning an escape route in case of a fire is very good…it can save lives. A smoke alarm is critical so you can be warned of a potential fire. Training your household on what causes fires and how to prevent fires lowers the risk of you having to use either the escape route or hear that alarm in the middle of night.
Oddly, organizations are doing a piecemeal approach, and too many are not training their employees on cyber risks, especially small- to medium-sized employers. According to a Canadian survey, only 34 percent of employees of small- to medium-sized businesses claim their employer provided cybersecurity training. https://www.newswire.ca/news-releases/only-34-of-small-and-medium-sized-business-employees-report-receiving-mandatory-cyber-security-awareness-training-876508519.html
The lack of training is troubling because of the extraordinary effort some cybercriminals go to in order to trick unsuspecting employees. Their efforts are masked as normalcy and routine. It reminds me of fixing fences on my family's ranch. You could see the dangers of a handling a barbed wire fence so you knew what to do, but a live electric fence looks harmless until you touch it.
I am not recommending you shock your careless employees. Instead, train them well enough to understand that a risk exists and to recognize their adversaries' purpose is deception. So, have that post-breach plan ready, just in case someone makes a mistake. Remember that an "all of the above" approach to cyber risk is always the best approach.