Cy­ber­se­cu­rity starts with train­ing your em­ploy­ees

Kuwait Times - - TECHNOLOGY - By Mo­hammed Basheer, IT Se­cu­rity Prac­tice Head, ISYX Tech­nolo­gies

The Petya ran­somware at­tack that hit com­put­ers around the world re­cently, the sec­ond in two months, is yet another re­minder that com­put­ers play key roles in most en­ter­prises, and that it does not take much to dis­able those com­put­ers. Ir­re­spec­tive of how ro­bust your in­for­ma­tion se­cu­rity sys­tems are, users are still the weak­est link in your com­pany’s cy­ber­se­cu­rity.

It’s a busi­ness cliche that staff is a com­pany’s great­est as­set and po­ten­tially its great­est risk. And while that has al­ways been true in the area of cus­tomer re­la­tions, it’s now equally ap­pli­ca­ble to data se­cu­rity. Users are the first line of de­fense against cy­ber­at­tack, and also - po­ten­tially - a busi­ness’s most glar­ing vul­ner­a­bil­ity. Peo­ple are just a very large at­tack sur­face but or­ga­ni­za­tions can re­duce the at­tack sur­faces by im­ple­ment­ing an ef­fec­tive or­ga­ni­za­tion wide se­cu­rity aware­ness pro­gram.

Un­trained em­ploy­ees are the linch­pins for most data breaches. Those who at­tack busi­nesses have no wish to spend a lot of time and money de­feat­ing its tech­nol­ogy. In­stead they would pre­fer to in­fect the user with ran­somware, their fa­vorite bait - “spray & pray” phish­ing at­tacks, which in­volves spam­ming with email that car­ries ma­li­cious con­tent.

It has be­come in­creas­ingly im­por­tant to em­bed ICT se­cu­rity aware­ness at all lev­els of an or­ga­ni­za­tion. While aware­ness is the key, there also needs to be a bal­ance struck. Em­ploy­ees need to know the risk their on­line ac­tiv­i­ties pose and how to man­age it, with­out be­ing ren­dered un­pro­duc­tive by overly com­plex pro­ce­dures.

Computer se­cu­rity train­ing isn’t just a mat­ter of giv­ing em­ploy­ees in­for­ma­tion. Know­ing best prac­tices and or­ga­ni­za­tion pol­icy is im­por­tant, but it helps only if em­ploy­ees un­der­stand that they make a dif­fer­ence and should feel they are part of the or­ga­ni­za­tions in­for­ma­tion se­cu­rity. The truth is that user ig­no­rance to se­cu­rity make most mal­ware at­tacks pos­si­ble, and that em­ploy­ees who are aware can avoid most of the at­tacks.

In­for­ma­tion Se­cu­rity Aware­ness should be part of an or­ga­ni­za­tion cul­ture, busi­ness lead­ers need to make sure their aware­ness pro­grams cover all the im­por­tant as­pects of cy­ber­se­cu­rity which en­sure that their em­ploy­ees are well trained to tackle the cur­rent se­cu­rity threats. At the end of an ed­u­ca­tion and aware­ness ini­tia­tive, all users should be able to un­der­stand:

How to iden­tify se­cu­rity threats?

The user should be able to iden­tify the dif­fer­ence be­tween nor­mal emails and ma­li­cious email. They should un­der­stand best prac­tice in in­ter­net us­age and un­der­stand the or­ga­ni­za­tions se­cu­rity poli­cies.

Re­sponse to the se­cu­rity in­ci­dents

The user must be aware of the se­cu­rity in­ci­dent re­sponse pro­ce­dure. Should they sus­pect a se­cu­rity in­ci­dent in progress, they should be able to follow the se­cu­rity in­ci­dent man­age­ment pro­ce­dure to cur­tail the in­ci­dent from spread­ing across the or­ga­ni­za­tion. As they say peo­ple are the weak­est link in the in­for­ma­tion se­cu­rity chain, hence em­ployee in­volve­ment is cru­cial for the suc­cess of an or­ga­ni­za­tion’s se­cu­rity strat­egy.

There is of­ten a dis­con­nect be­tween what em­ploy­ees know they should do se­cu­rity-wise and what they ac­tu­ally do in prac­tice. Or­ga­ni­za­tions which con­tinue to im­ple­ment and re­in­force ef­fec­tive aware­ness pro­grams, have seen re­duced num­ber of se­cu­rity in­ci­dents, in turn main­tain­ing bet­ter up­ti­mes for the IT en­vi­ron­ment sup­port­ing the busi­ness pro­cesses, help­ing the or­ga­ni­za­tions to up­keep their rep­u­ta­tion re­sult­ing in bet­ter fi­nan­cial re­wards.

Mo­hammed Basheer

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.