Recent news articles and trends have been reporting bad actors taking advantage of zero-day exploits and even oldies but goodies, which will take advantage of lazy IT strategies of not patching on a timely basis. But I have anti-virus (AV) on all my endpoints I'm safe right? Nope! While most AV's will boast they can stop and detect anything, this could not be further from the truth.
The real solution is EDUCATION. Notice I did not say training. Training is something you do once and forget it over time. This is the wrong way to defend against cyber attacks. A yearly training while satisfying your organizations checklist of things you have to do; over time it has diminished returns. What is needed is an ongoing educational awareness of cyber threats and a way to measure your campaign's effectiveness towards reaching it's risk goals. Employees should be rewarded not punished for their efforts. Any identified weaknesses should be used to adjust training to mitigate those attack vectors. Cyber awareness should not be a dreaded task, but enjoyable experience even fun at times, which will lead to a much more favorable result and a TRUE culture of cyber awareness.