Statistics from many sources suggest the majority of cyber breaches are caused by human error. The latest high-profile attack was launched against MGM where an attacker used publicly available information on social media along with a persuasive phone presentation to impersonate a legitimate user and get a password reset – thus gaining privileged access to the network.
These incidents of human error can result from employees with IT Security roles neglecting to patch systems. Security personnel could fail to implement multifactor identification which seems to be the cause of the breach at MGM. A regular user could click a link in a phishing email.
In subsequent blogs we will explore the 14 domains of CMMC level 2 but today we will present the Awareness and Training domain (AT) which addresses the above issues. This domain consists of 4 controls and 17 objectives. Here are the 4 controls.
- Establish a policy that includes Awareness and Training.
- Document the CMMC practices to implement the Awareness and Training policy.
- Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
- Ensure that personnel are trained to carry out their assigned IT security related duties and responsibilities.
The 17 objectives of this domain are spelled out in the NIST 800-171 publication.
To summarize: We must establish a security focused culture in our organizations to prevent attacks from the outside or inside.