When many business leaders consider the security of their operation, the first things that come to mind are locks on the doors, proper outdoor lighting, and perhaps a security guard on-site, then they begin to look inward and consider their cybersecurity. Toward that end, they invest in the latest and greatest firewalls, antivirus, anti-malware, firmware, and other software fixes while overlooking the most important aspect of their security integrity: their employees. Why are employees your greatest cybersecurity threat and what are you to do about it?
The very nature of human beings with their curiosity and need for stimulation, information and novelty make them the prime target for hackers who want to infiltrate your business network and its data. Therefore, full buy-in of the company security endeavors will require an alliance between IT, which should understand your operating needs and HR, which should comprehend the foibles and psychology of human beings that can make them gateways to cyberattacks. It is simply not good enough that your employees remember to update passwords regularly; they need to understand how a hacked company system affects them directly. To this end, your IT team should work with HR to develop training which garners staff support for the security processes that need to be implemented.
Here are a few of the issues this composite team needs to address:
Impact on the Company of Down Time and Security Breaches – Explain in the clearest terms how downtime in the company network affects everyone. Use examples such as Ransomware or Spear Phishing attacks or other situations in which your business could lose data or computer access – thus affecting the ability of your company to remain in operation and therefore to employ people!
Lack of Awareness – Simple though it may sound, regular training and reiteration of concepts like having strong passwords, proper storage of customer information, use of locking drawers or file cabinets, how the company uses multi-factor authentication and data access principles should be ongoing practices. In addition, all personnel should know how to properly dispose of drives, reports, etc. when they are no longer needed or pertinent. Last here is the need to inform employees of the importance of system/software updates for both company equipment and approved BYOD mobile phones and other devices, as well.
Hazards of Using Unsecured Networks – This is particularly problematic with BYOD environments including commuting vehicles (e.g., the train and subway), cafés, etc. which are typically unsecured networks. Your employees need to be aware that all online activity conducted on such networks can be visible, putting devices and sensitive company information in peril. To minimize this risk, explain the difference between using HTTP and HTTPS prefixed sites – the later carries encryption protocols – on any device (laptop, smartphone, etc.) used for work related activities and help them to understand which work is best left to be performed in the office on company secured devices. Another off-site peril comes from Juice jacking (stealing data by monitoring public charging stations) in which a hacked wireless charging port can allow cybercriminals to record what is being written or watched on a device as well as download programs to said device. Personnel who frequently work outside the office should be trained to understand the risks of using public access networks and a few means of minimizing same, such as plugging into an electrical outlet or using their own powerbank, having different passwords for each app and device they use, and waiting to perform personal interactions until at home and only installing apps from official marketplaces. Best, have them use a VPN (Virtual Private Network) set up by your IT team that provides for encryption of data moving between them and any end user whether they are at home, traveling or otherwise working outside the office.
IoT (Internet of Things): a Door to System Access – With the growing complexity of the business operating environment you may find you have manufacturing equipment as well as simple office equipment such as printers connected wirelessly to your server. These additional pathways offer opportunities for an employee to involuntarily undermine your security by tapping into equipment not meant to be part of their peripherals. In order to minimize this risk, have your IT team set up not only different passwords for this equipment but different router levels, as well, which prevents certain devices from ever ‘seeing’ other devices they shouldn’t. Turning off equipment when not in use will help to mitigate cross system access as well. These steps can also help prevent an unintended internally produced Denial of Service (DoS) attack or Distributed Denial of Service Attack (DDoS) in which equipment or websites crash from an overload of demand.
Don’t forget, your IT team consists of all your employees. To this end, think about the cybersecurity culture you want to create. For instance, have your IT team start broadly sharing new concepts learned trade events , which can keep lines of communication open between departments and can help your staff understand new threats and preventive actions they can take before your business is targeted.
In addition, savvy IT members don’t put all their eggs in one basket; they may like vendor X who provides software X and has worked with them for years but they stay aware for news of failures of this protective service and are willing to jump ship to vendor Y if that is in the best interest of your company. Better, working with an outside company, in addition to your in-house staff, who is not a single service provider and whose sole interest is in being knowledgeable about multiple software security tools, techniques and processes and is willing to embrace your company’s unique business protection requirements can be a valuable asset.
Finally, keep in mind that a disgruntled employee with any system access can pose a threat to your business (e.g., copying trademarked or other business sensitive information for purposes of corporate espionage) and containing them is the territory of HR. However, a coordinated effort between your employees and IT, with the help of training developed actively with HR, will strengthen the personnel link in your cybersecurity chain, in addition to bringing added value to your employee morale due to your consideration of their need to understand, so that they are able to actively participate in protecting your company and their jobs.
Be safe out there!Read more