Employees play a critical role in reducing or enhancing the risk of a cybersecurity attack on an organization. This article covers important ways to ensure employees are part of your cybersecurity strategy, rather than leaving your organization exposed.
- Regularly Talk to Employees
It’s important for organizations to address cybersecurity training on a regular basis, explaining the potential impact a cyber incident may have on your operations. Employees need to know their obligations, especially when it comes to mobile data. It’s not enough to require an annual review and signing of an “I have read and understand company IT policies” statement.
Organizations should have regular, focused sessions with employees to explore different types of cyber attacks. Threats change, new people come on board, and employees get caught up in their day-to-day activities, sometimes losing focus on the security threats knocking at their door. Consider having regular lunch and learn sessions, and encourage employees to use what they learn at home on their own computers.
- Remember Top Management and IT Staff
Top managers are often the target of cyber criminals because of their higher level of access to critical corporate and customer data. This increased access has a much bigger damage/financial payoff for the hackers. IT staff are also more vulnerable, given their administrative access over the network.
- Human Beings as the Weakest Link
Any network is only as strong as its weakest link. Explain to employees that while your organization is making best efforts to secure the company’s infrastructure, it’s critical that employees fully engage and do their part in following company policies. Policies should be sophisticated enough to cover all possible attack vectors.
- Social Engineering Risks
Warn employees to pay special attention to social engineering ploys they will find in social media, blogs and emails. It’s also important to point out that many cyber incidents begin with a phone call from someone posing as a co-worker or customer, asking seemingly innocuous questions. Meanwhile, they are actually manipulating the employee in order to gather information about the company and its operations.
- Password Best Practices
Passwords are the first line of defence against cyber criminals. It’s crucial to pick strong passwords that are different for each important account. It is also a good practice to use a long mix of letters, numbers and symbols, as well as update passwords regularly. When employees understand password management best practices, they are able to actively protect confidential information.
- Recognizing an Attack
Train employees to recognize an attack. Don’t wait to react. Have a documented remediation plan in place and update or review it frequently. Communicate step-by-step instructions about what employees should do if they believe they’ve witnessed a cyber incident.
Training should include specific rules for email, web browsing, mobile devices and social networks. Don’t forget the basics, such as physically unplugging the machine from the network and notifying IT of any suspicious emails, activity or lost devices. Employees should be able to locate their emergency IT contact number in 20 seconds or less.
- Don’t Discourage Employees
Even if it’s a false alarm, it’s important not to discourage employees from speaking up when a cyber attack happens. If false alarms happen regularly, reevaluate your training approach.
If an incident happens, give employees a heads-up as soon as possible. A lack of transparency or improper handling of a cyber incident may significantly increase the impact of the event. Issue instructions to employees about how to speak to the public and the press about the incident. Have an internal communications plan and PR strategy in place before anything happens. Consider insurance for cyber incidents.
- Regularly Test Employees
Organizations should regularly test their employees’ cybersecurity knowledge and tie the results back into the training curriculum. It’s important to make it fun and/or rewarding, with incentives for prompt responses.
- Invite, Listen and Respond
With all compliance initiatives, if employees find the policies too difficult or restricting, they will find ways to circumvent them. If you force employees to change passwords every week, know that they will write them down and post them in their workspaces. If it’s too difficult or complicated to access something they need for their jobs, they will find less secure workarounds like personal email, USB keys, etc. Listen to what employees are saying and find the root cause of unsafe behaviour. Finding alternatives that work for both security and employees’ ease of use is essential.