Most corporate decision-makers acknowledge that awareness is a significant aspect of cybersecurity.
Just how important it really is, however, is not clear to many, and is putting numerous businesses at unnecessary risk.
Fortunately, raising the cybersecurity education level of your employees does not have to be overly expensive or difficult.
The magnitude of the issue can be seen from just a few numbers. The latest statistics available from the IBM X-Force Threat Intelligence Index show that inadvertent insider actions were responsible for more than two-thirds of all records compromised in 2017.
Kaspersky estimates the average cost of data breaches at $120,000 for small and medium-sized businesses, so it is clear that a lack of cybersecurity education is an expensive risk, and becoming more so.
Avoiding those inadvertent insider actions is largely a matter of knowing what those inadvertent actions are, and why they are taken. Educate employees about them, as well as what to do if they suspect a breach or risk of a breach, formulate effective policies, and establish good communication practices, and your cybersecurity stance can be significantly improved with the technology you already have.
To help get you started the Helpful Humans at Liquid Web have shared a few of their top broadly applicable tips for how to educate employees about cybersecurity.
What Employees Need To Know
What To Look For
Identify the most likely security risks and threats each employee is likely to face, and explain the threat to them. Employees should know what they are, how they work, how to spot them, and what to do if (or when) they do.
Phishing is a common threat vector for businesses of all sizes and generally relies on an employee providing information or clicking a link to what they think is a trusted party, but is, in fact, a fraudster.
While phishing techniques are becoming more sophisticated, the general principles that guard employees and the businesses they work for against them are still the same.
Keep these guidelines in mind:
- Do not provide information of any kind or act on an email (such as by clicking a link) unless you are certain of who you are communicating with
- Don’t open email from an email address you don’t know
- Do not freely give out company information over the phone
- Be aware of what constitutes a suspicious request, such as any request for account credentials
What To Do
Employees should also know what procedures they’re expected to follow if they suspect they have been targeted by a common attack method. Even at small organizations that do not have IT teams blocking specific IPs or adjusting firewall rules, information should be shared immediately, so that the first time the fraudulent communication is detected is the only time needed.
Every employee should know to cease communication, turn off their device, and follow the notification procedure, which should specify who to tell and the fastest way to do so.
Strong Security Means Good Policies
Set out policies to drive the procedures. Clearly defined policies not only ensure that employees know what to do but can also in some cases be written directly into the filtering systems of security tools, as in the case of firewall blacklists.
What Policies Do You Need?
There are a number of areas in which policies should be considered. Consult the best practices associated with your industry and seek the advice of an experienced service provider. These basic policy areas apply to practically all organizations.
Require strong passwords or 2FA as a matter of policy. Weak passwords continue to be a commonly exploited security vulnerability, and as frequent data breaches expose more and more credentials, the problem will only get worse. NIST recommends multi-factor authentication (2FA), based on a combination of a long passphrase and a second factor.
The standards body’s Special Publication 800-63-3: Digital Authentication Guidelines suggests methods such as multi-factor OTP (one-time passwords), in which a multi-factor OTP is transmitted to a device like a smartphone after being activated by a knowledge factor like a password, or an inherence factor like a biometric fingerprint.
This prevents a single breached credential from causing extensive harm to your business. An authentication policy also shows employees the organization is serious about security.
Some types of data are more sensitive than others, but all organizations have documents or other data they do not want publicly shared, and therefore need a data protection policy. If sensitive data, such as proprietary company information, customer’s personal data, or payment information are stored, implement clear rules about how that data is stored, how long it is stored for, and what happens when it is no longer needed.
Common data storage policies include rules for encrypting data so that in the event it is exposed or breached it will not be readable, as well as rules for limiting access to data based on its sensitivity.
Access to data should be limited to only those employees or third parties that require it, in what is called the principle of least privilege. This often means building different levels of privilege into logical access controls.
Put your employees – and your training – to the test. Some large businesses hire white-hat hackers to conduct penetration testing, but there are many ways to test the cybersecurity awareness of your employees.
You can challenge your employees by simulating a phishing email or social engineering attack. This provides practice, information, and helps employees keep the very real risks of fraud and hacking in mind.
The above tips all hinge on information about potential security threats flowing freely between employees and IT decision-makers, as well as to and from service providers. This is because attack methods, software vulnerabilities, and security technology all change constantly, and keeping up is part of keeping cyber safe.
Set aside time specifically for cybersecurity education and updates. Many businesses try to conduct cybersecurity communication or training by tacking it on at the end of meetings for core operational topics.
While this may seem like the convenient way to do it, the topic tends to end up getting put off or short-changed. People anxious to leave for lunch or the weekend might be given quick verbal reminders or barely-reviewed materials, which are often ignored, and the organization’s risk mounts.
Setting aside time specifically to formulate, pass on, and review the appropriate information and policies ensures that it is not put off until it is too late.
If every person at the business knows what to do if they receive a suspicious email or notice strange network traffic, then the only thing remaining is to ensure that that information is communicated throughout the organization rapidly enough to maintain a secure network perimeter.
Establish a clear notification process, setting out how suspicions are communicated to the person responsible for cybersecurity, how they are vetted, and finally, how they are communicated to the rest of the organization.
Also assure your employees that they are expected to report their suspicions, not evaluate every potential threat. That means false alarms will happen, and they should not hesitate to follow the notification policy for fear of being wrong.
Employees who are educated about cybersecurity are empowered to act in defense of the organization, rather than being a target for cybercriminals.
Combined with the security tools of a trusted service provider that rapidly provides expert human guidance, employees can keep threat response time to a minimum, and help protect sensitive data from any kind of attack.