Whether it be an email from your IT department asking you to log into the new mail portal, or an email from the Finance Director telling you that a supplier’s details have changed, one of the weakest links in any organization’s cybersecurity infrastructure is uninformed employees.
Phishing attacks are a common vector to gain access to an organization’s information and infrastructure. People also love getting email from their friends, and many companies allow access to personal mail (intentionally or not). Many popular webmail services have anti-virus engines in the background, but new malware may still be able to get through before anti-virus vendors have had a chance to analyse them and create patches. It is not difficult for an unsuspecting employee to click on a malware laced email and accidentally infect their work computer.
Employees need ongoing training and awareness coaching to spot potential threats. It is worth the time and the money spent educating them, instead of mopping up after a breach. There’s big effort involved in analysing the attack, identifying what was affected (you may never feel entirely confident that you removed all traces), and to repair reputation.
A layered defence is therefore paramount in any organization and employee-awareness is a vital layer. When a user mistakenly clicks on a link or attachment that causes a security issue, we often believe that they are the primary cause of the challenges that follow. However, for malware to reach them it should have already passed through several defence layers, internally and externally. The fact is: cybersecurity is a demanding, multi-faceted, and critical business function. Importantly, it starts with setting the right organization mentality.
Tech Republic offer 10 tips in this regard:
- Perform “Live Fire” exercises
Simulate an attack, either from your internal security department, or an external company. If the employee falls victim to the attack, they can be asked what lessons they have learned from this and how they see its effect on the business and themselves. They can then be asked to share that experience with others in the organization.
- Get leadership buy-in
The whole Executive Management team needs to be aware of the ramifications of a potential breach and continually budget for skills, hardware and software.
- Start cyber awareness from during the onboarding process
The moment a new employee is onboarded, cybersecurity training should start and becomes part of the business culture.
- Conduct evaluations
Evaluate both employees and systems to find out how vulnerable they are. Until you do, you won’t know how effective your cybersecurity plan is.
Create a plan for communicating cybersecurity information to all employees and to bring all departments onboard with training and best practices.
- Create a formal plan
The security team should engage IT teams to develop and document a formal cybersecurity training plan. This should be regularly updated as threats and risks develop.
- Appoint cybersecurity culture advocates
A cybersecurity culture advocate should be appointed in every department. This is typically someone who will keep employees trained and motivated.
- Offer continuous training
Cybersecurity training should be delivered throughout the year. It should be specific to a person’s role. End users will most often experience certain types of threats, whilst IT employees may experience more technical attacks.
- Stress the importance of security at work and at home
Help users understand that awareness can benefit them not only in the workplace, but also at home where they may be exposed to similar attack vectors. The ramifications of poor security at home may be equally detrimental for the individual.
- Reward employees
Reward users who find malicious emails and share stories about how they helped prevent security issues.
Training will never be perfect. Threats evolve, vectors change. Even with the most comprehensive and up-to-date training, there is still a small chance that something may evade employee alertness and dedication. However, it remains a very effective effort and should form an important part of the overall cybersecurity defence strategy.