By Sungard AS
Many cyber security threats, such as advanced malware, can only be countered with sophisticated technology. But on a day-to-day basis, employees are typically your greatest source of vulnerability.
Your people are your strongest line of defense … or your weakest link
It might seem hard to believe, but the number one threat to cyber security is still workers leaving laptops and mobile devices unattended in vulnerable places, such as public transport, cars and restaurants. They're practically rolling out a welcome mat for hackers, putting the company's network and data at risk – especially if they commit the secondary sins of storing sensitive information on the local hard drive instead of the server, or using weak, easy-to-guess passwords.
In the first instance, you need to make sure your IT security policy is sophisticated and comprehensive enough to cover all possible sources of attack, including the latest threats, and contains a clearly documented remediation plan. However, simply having a policy in place doesn't go far enough. It's not that employees will willfully disregard it – rather, they genuinely lack awareness of the risks and consequences. You can't simply expect new hires to sign an "I have read and understood the company's IT policy" statement during the on-boarding process.
It's vital that you take a proactive, ongoing approach to educating your entire workforce about cyber security threats and counter-measures before someone or something compromises your systems, data, reputation or even livelihood.
Five tips to educate employees on cyber security
Tip #1: Clearly communicate the potential impact of a cyber incident on your business
Explain the spiraling consequences of everyday activities and bad habits – from financial losses or fines, to damaged customer trust. For example, walk through the scenario of what could happen if someone left their laptop on the train, accessed work documents over an open Wi-Fi network in a coffee shop, or opened personal emails on a work device. What are the dangers of revealing personal information on Facebook (kids' names, memorable dates, etc.) which may be used in passwords for work applications? Most people may not even realise how they're potentially undermining your business through every day (mis)behaviors.
Tip #2: Make cyber security everyone's responsibility
No one is immune so include management and IT in your education program. The more senior an employee, the more information they typically have access to, making them a more attractive target to cyber criminals. IT staff have even greater power over the network, making them just as susceptible to determined hackers, so ensure complacency doesn't set in. Remind everyone that your company's infrastructure is only as secure as its weakest link.
Tip #3: Hold regular cyber security sessions
Training needs to happen before your business is hit by a cyber incident, not in the aftermath. In addition to initial cyber security training as part of the on-boarding process, set up a regular event such as a lunch 'n' learn, or an online forum where employees can share information about cyber security – whether that's referencing a topical news story about the latest high-profile breach, or sharing an insightful article on cyber-crime tactics. Make it relevant and engaging – after all, most people use connected devices at home or have friends and relatives who could benefit from better awareness of personal online security.
Intermittently test employees' cybersecurity knowledge – an online survey is a quick, inexpensive and effective way to do this – and refresh as needed.
Tip #4: Issue specific rules for email, internet browsing, social networks and mobile devices
Encourage a culture of "safe browsing" and caution your staff to be wary of suspicious links and attachments from unknown sources when using company devices – whether that's a phishing email or a video on social media. Bear in mind that if you force employees to change their passwords on a weekly or monthly basis, they'll probably resort to writing them down on a sticky note left on display at their workstation. And if you make it too tricky or convoluted for them to access the systems and data they need to do their jobs, fully expect them to find less secure work-arounds like USB sticks or personal email to bypass your controls.
Tip #5: Train your employees to recognise and respond to a cyber attack
Give your staff a clear channel, such as an emergency number, to alert your administrator to any suspicious emails or unusual activity, or for reporting a lost device – even if it turns out to be a false alarm. Some cyber-attacks are preceded by a seemingly innocent work-related phone call, purportedly from a supplier or service provider to establish account details or passwords, so don't overlook the significance of such calls as a precursor to cyber-crime. If an attack or breach does occur, give everyone a timely heads-up to limit the impact of the attack. Ensure you have an internal communications plan and PR strategy in place should the worst happen so your teams are equipped to field questions and reassure concerned customers or investors.
While there's no foolproof method to protect your business, educating your employees about security threats and best practices for online behavior and privacy can at least reduce the likelihood of a breach caused by human error.