Keys to Employee Cybersecurity
Cyber breaches knows no boundaries and doesn’t discriminate based on business size. For example, a study by the National Cyber Security Alliance shows that even though 66 percent of the small businesses surveyed relied on the Internet on a daily basis and 69 percent handled sensitive data, only 23 percent had a written policy and procedure Internet security guide for their employees. Only 37 percent provided Internet safety training to their employees, and only 50 percent had a cybersecurity plan to keep their business secure.
“We have to come from an understanding that humans are traditionally very bad at estimating risks when the risks are small. These events that seem to be one in 10,000, what does that mean? It’s hard for people to assess how big the risk is,” says Dr. Vincent Berk, CEO of FlowTraq. Albert Lewis, a cybersecurity expert and Executive Board Member of Federal Information Systems Security Educators’ Association agrees. “It’s important for us to recognize that most employees don’t care about the attacks, they just want to get their work done,” he says. Thankfully, you don’t have to be a cybersecurity expert to implement good practices and policies in your business and help your employees learn to be more cyber aware.
Patch Software Frequently
When an update for your network’s operating system or software shows up, don’t delay – patch it immediately. “An entire network can be exploited because of a failure to patch,” says Lewis. However, doing an update can cause serious down time and potentially cost money with systems being unavailable. Every organization needs to decide in their policies and procedures how and when they will handle patches in order to remain as functional as possible. “If you don’t take care of this, you’re going to get hacked. Frequent patching is the low hanging preventative fruit when it comes to cybersecurity,” Lewis says. “It’s absolutely step one.”
Emphasize Employee Training And Education
All the experts interviewed agreed that employee training and education is paramount in staying cyber secure. Because the threat environment is so complex, employees need to be aware of their own and their company’s vulnerability and how to recognize and avoid cyber threats, says Mark Bermingham, Director of Global B2B Product Marketing at Kaspersky Labs. “Training is an important part of ensuring that people understand how to approach their jobs in a cyber-aware fashion,” says Lewis. Training should be done annually at the very least, though if a company gets new users, they should be trained right away, he says.
Berk believes that a monthly or even weekly newsletter reinforces the importance of cybersecurity. “It should be short, informational and very simple,” he says. “We need to see things 20 times or more before we start to remember them.” Hosting speakers on security topics and having quarterly discussions within the company are other good ways to strengthen awareness, Lewis says. Repetition is important in making cybersecurity part of employees’ consciousness because otherwise they start to view it on the same plane as sexual harassment, as if it does not really apply to them, says Berk.
Getting employees to understand that cybersecurity is not just important at work, but that it affects them at home as well helps get and keep them engaged in staying cyber secure, says Lewis. “People don’t use computers just at work; they use them at home too. We’re on computers all day long,” he says. “I usually start by discussing their home experience. Are their systems backed up? Do they do their taxes on their computers? What vulnerable data do they have on their computers? They have a vested interest in protecting that. Once I get them thinking about that, I explain how the same principles apply at work.”
Have Policies And Procedures In Place
Companies should think about WHEN they get infiltrated, not IF, says Andrey Bozhogin, Senior Marketing Manager at Kaspersky Labs. Businesses need to have solid cybersecurity policies that mandate details like device control, a recovery plan, password size and length, and employee awareness and training. Prevention and reaction plans need to be in place in case of a breach. “Training will vary as far as your job function, but awareness applies to everyone there. There is a difference between the two. Awareness is a general approach to what’s going on, what the environment is like,” Lewis says. “Without a policy in place, it’s a safe bet that the training and awareness activities aren’t going to happen.”
Device control is also essential because 5- to 10-percent of laptops or mobile devices will be lost or stolen, says Bermingham. Making sure these devices are secure and encrypted, as well as doing things like assigning certain hours in which thumb drives can be inserted and ensuring that auto-run is turned off, should be part of every company’s policies and procedures.
Lead By Example
For executives and IT staff, it’s important to set a good example of corporate diligence for the rest of the company. Executives are going to be the most likely target at a company, so they need to understand this and act accordingly, says Bermingham. Mobility is currently the biggest threat factor, particularly for an executive, causing the security perimeter to widen and threats to become more precarious, he says. “If an event happens, (executives should) share it with everyone,” says Berk. “Show them why they need to be careful.”
Try Red Teaming
It’s labor intensive, but taking time to do some red teaming really works, says Berk. “Pick a few good guys and have them try to get people’s credentials and turn it into a game. It makes the employees more aware,” he says. He suggests tests such as having the red team call an employee in the Accounts Payable department, saying they’re from IT and asking for the person’s password, saying they are trying to fix that person’s computer to see if they’ll give the password up. Another idea is to have the red team craft a phishing scam email and send it around to see which employees click on it. The other benefit of red teaming is that companies can find the weakest link, says Berk.
Have Well-Defined Job Roles
“Whatever level you’re at, you’re a potential target for adversaries,” says Lewis. “The first thing we need to do is give employees awareness. Rather than instituting a general approach to cyber training, I think role-based training can be instituted and that can ensure that everyone is trained appropriately.” Lewis recommends that companies check out publication 800-61r2 at the National Institute of Standards and Technology (www.nist.gov) to see a role-based model for federal information technology and cybersecurity training. “It can help companies plan and orchestrate an approach or methodology for introducing cybersecurity training in job functions,” he says.
A needs assessment should be conducted first, says Lewis. “You want to determine what aspects of cybersecurity each job role touches,” he says. “Looking at the job roles, you might see that an IT person controls a lot of access, which shows a vulnerability that needs to be addressed.” Companies need to think of the different roles people have and target cybersecurity training according to that job function. “It doesn’t need to be a week-long training,” says Lewis. “They just need to understand what good practices are surrounding their roles.”
Too often the people who program the code or operate the IT systems see cybersecurity as a secondary concern, or even an afterthought, Lewis says. Organizations, too, often don’t spend any resources making sure that their IT staff is trained in cybersecurity, let alone their entire staff. “Having the right people in the right place with the right amount of training to combat those threats is essential,” says Lewis. “Otherwise you’re vulnerable.”
All employees don’t need access to everything in the system. “If you don’t have a need to know, or a need to be accessing a system, you should not be allowed to. Access should be limited in terms of what (employees) need to know,” Lewis says. Limiting access cuts down on the risk of breaches within the company. “If there are some fundamental things you need to know to drive a car, there are some fundamental things you need to know before you can join the corporate IT knowledge network that contains sensitive data. Before you can touch this data, we’ve got to make sure that you are aware of the security of it,” says Berk.
You also need data separation. For instance, the marketing department does not need to have access to the financial department’s data; the financial department does not need access to IT’s data, and so on, says Bozhogin. In the event of an attack or breach, data separation also helps ensure that the attacker only gets access to certain information, rather than all the data the company has.
Report Suspicious Activity
Setting up a quick and easy way for employees to report suspicious activity, such as having a help desk or other central number they can call or text, is a great way to encourage cybersecurity, says Lewis. “If everyone’s aware of what good and bad cyber hygiene looks like, procedures can be put in place for employees to report if they see something going on.”
Taking time to implement cybersecurity measures like these is essential to the welfare of any company and in today’s climate should be a priority. For more information on cybersecurity training, check out the National Initiative for Cybersecurity Careers and Studies at www.niccs.us-cert.gov.