KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
It's it's a pleasure to be here. So thinking thank you for having me. And it's also of course, a big pleasure to talk about the weakest link that is humanity itself.
Being now, dealing with this topic for quite some time, we keep hearing, as you say that we are the weakest link and we should focus in the solutions. So today I would like to present you a little bit. What I think is the solution and is the ongoing training. It's what we can do is what we need to do for ourselves and for the companies that we are. So let me give you a little bit of this topic in a nutshell, by hope. Hopefully you are seeing my presentation and just giving you a little bit of my background to understand why am I here today?
And with my humanity of things had, I was part of the cybersecurity and data protection task for, of CPS. And I've been studying this matters currently in my professional diploma, cybersecurity and data protection of ma university, starting this field with the data protection certification and being more and more curious about the cybersecurity itself. I am a lawyer.
So for me, the global vision of this topic is the most important thing. And we cannot ever undermine that. Everybody needs to sit and talk about security and we, of course, we're talking about cybersecurity, but let's not forget that security is a bigger umbrella and we should never forget that part as well. So today what I would like to be able to leave you is a comprehensive understanding of the importance of the training of cybersecurity, of the effort that companies need to put in this topic for their own. Good. So today we will be seeing a little bit about this matters.
So why continuous training, why not training and we'll stop here. So as you heard, we are identified as the threat studies are showing us constantly with data with very, very valid data that the human factor, it can sometimes crash a business and companies can longer underestimate this, this human error. So recently I was seeing a presentation by cybersecurity company that was hired to test a university system. And you would be always surprised how much this is still playing a role.
And also what they tried to prove was the difference between people who had a higher level of education and a lower level of education. And maybe surprisingly that this didn't play such a big role as we would think.
So it's, it's still an ongoing matter for everybody, no matter their, their education in other fields. So this idea of training people should not then be different from the ones assumptions. I would say of knowledge are one of the big problems that we have. So this importance that the importance of this training. So we know that the, the capacity of this attacks is exponential is growing every day. So if we want to keep up, we cannot just leave this to the services. We need to have everybody on board.
We need to and make everybody understand that every stakeholder of the process is responsible and that in fact, human errors causes this breaches and they can have a real, real, tremendous impact in a company. I remind you that sometimes what it sounds like opening a simple email can put a whole company in trouble, and this is the first message. Nothing you do is out of risk. And you need to be aware of that. So educate stuff properly under conduct of understanding that they are a target and that they need to be able to have the tools.
So the, the security awareness, I would say that it needs to be, of course, tailor made for every company that is a basis, but there are a few things that everybody needs to know.
We are not, of course, for the sake of time, I'm not going to give you a training itself, but at least that this is a little list I'm going to provide you is what I call the basic package of knowledge and that we can also in a way prevent some of the, yeah, the attacks itself by this educating and from the normal topics of passwords to higher understanding of the need of creating regulation of digital PLA platforms and guidance for proper conduct. So there is different levels.
And this is also very important that we understand this overall picture so we can tackle it with also with the capacities that companies have. So I would say that every time that someone comes into the company, that we should be able to at least have them on board of understanding a little bit and don't get me wrong. We should not force people to understand technicalities, but to have broader understanding. So nobody needs to know everything. Sometimes that people get overwhelmed and they are even as great to, to open their mouth, to show some ignorance.
And I would say that technical terms are very complex and even understand them in depth is not the purpose, but understand what can happen is our goal. So if we have a house and we know how can someone, for example, break a door, you know, it's common sense. We know that leaving a window open can let someone in. So it's more to have this understanding.
And like I say, to have this open door for everybody, to be able to quickly question, understand that we also be able to take all these complex terms and break them into pieces and images, even to make everybody understand what we are talking about. So this would be a perfect guide to start.
I think for many people, especially here today, everybody will know this list, but I am a hundred percent sure that if you present this to any employee for different segments of a company, maybe they know malware, I think fishing for sure, but all the passwords, but they will need, even in these terms that are more used every day to really understand what encapsulates what we are talking about. So this would be my first attempt to create what I call this ongoing training basis.
So as, as you see, then in this continuous training, the different forms of cybersecurity threats are important to start, but then you need to go and you should be able to create blocks what I call teaching blocks. So I don't think we should be able to provide the information or the whole information. Sometimes I feel like we're trying to push even online training that we just sit someone, these people need to read or understand or listen for a while. And it looks fine, but there's no context.
So if you are talking about a password, I give you a simple example recently that I saw in front of me. So an intern was being explained that the password was not to be kept in a paper next to the computer.
And, and you would say, especially since we believe that new generations are more aware of all the topics that this would be not even needed to say, but the reaction of the intern was I'm really bad in remembering everything. Maybe then I will be able to write down in my notebook that will stay with me. And the person said, no, you will not do that. That's not the way to do it, but there was a little struggle there because there was not a conscience, a clear conscience of what implies to have a notebook full with passwords and all of that.
So I would say that, yes, it's important that we create trainings that we can listen. I understand that companies sometimes will not be able to have proper trainers depending also on the dimension of the company, but I would also not expect them that people understand clearly what we were talking about. So I think that we need also to mature this notion of training and to use the, the online capacity or trainings or, or, or little courses, but to give context. But I'm a firm believer that trainers people that can also be with everybody a little bit, following them.
It's very, very important understanding, also the use of the computer and in the premises, the internet that we are able to access all of this sounds so basic for all of us. And what we keep seeing in reality is that it's not, and it's not even a generational matter. It's a matter of literacy that we do not have. So if nothing else, I would like to really leave you the message from the field that this trainings should not start with assumptions, that people understand what they are even reading or listening. If it's an audio course.
So don't expect people to know these things and go one by one, if needed this investment of time can be, can play a big difference in, in how people use their capacities. So more than anything, what we want is to be able to create critical capacity critical thinking also that we have in companies, someone from HR, if there's an HR department, of course, but that is able to keep in a daily base to have some kind of checkups, but to be able to provide weekly refresh sometimes of concepts, I know a company that does what they call a little presentation.
So every week they have a, a, a staff meeting and everybody presented a small, small presentation, 10 minutes, they choose a small topic. They talk about it and everybody listens. And everybody in a way you have someone that is researching, but at the same time, there's a moment in this weekly staff meeting that everybody talked about a particular matter of a particular topic. So if you can do that, training is not necessarily also something that is a passive. It can be an exercise and it can be a presence, a constant presence in, in this company.
So critical thinking after the basic knowledge is what you need also to, because some situations are not like a is equal to B. And so if people understand a little bit more, they will have the capacity to react differently and they can literally also react faster.
They can, for example, communicate a data breach in a much more simple way. The, the, the reaction time can be less. And with that, you gain so much more leverage in any action that for instance, a proper, proper cybersecurity team can, can have so refreshing creating this weekly moments, or even than proper training, I would say every semester, and maybe I sound too ambitious, but I think the threats are getting worse.
The capacity of targeting people is getting better and better, you know, from spear fishing to social engineer, ransomware malware, this is becoming a daily basis for many of the companies we know, and some of them don't have capacity to have strong reinforcement. So this should be the basic if human error is what we know, the weakest link, not providing proper tools to humans is the weakest response for any company.
So I would say that in a, a global ecosystem of threats, now, the basics should be something that we keep, keep talking, even in summits like today that we have high level guests, that we have high level topics in this panels. And I would say we never should lose the, the literacy, the basic literacy from, from this topic.
So simple, understandable, and reinforce is what we need to create this human firewalls and to be more positive towards this human factor as well. And with that, of course, I would like to give the opportunity to questions as well.
If, if there's some.
