Technology is not the only defence element
Organisations need to place as much emphasis on the human factor to make it work
n order to determine the best way to thwart cyber-attacks, it is important to understand how the perpetrators of such crimes operate. One fact remains, which is that criminals prefer to choose the path of least resistance.
Hackers know all too well that they are able to gain valuable information through social engineering and other unsophisticated methods with at least as much effectiveness as if they were to create complex viruses and software instead. An organisation can build itself up to be the Fort Knox of cybersecurity.
However, that effort can be futile if there isn’t competent manpower backing the system in place.
Instilling a culture of cybersecurity from the ground up is the first step to increasing employees’ understanding of security issues and how their actions directly influence the level of risk to businesses.
Policies must be communicated clearly to staff members, so they understand that there is much at stake when they are handling sensitive, corporate data. Taking measures such as incorporating strong passwords and authentication methods, patching software vulnerabilities, and avoiding phishing attacks are a few of the activities that employees should be trained to find second nature.
Only through getting the basics right, will they be on the right path to protecting assets, preventing theft of intellectual property, ransomware and so forth.
How does an organisation lay down the foundation for best practices when it comes to cybersecurity? The first place to start would be developing a culture based on trust, and not surveillance. Employees must be informed that security is a holistic effort across their organisation, not just managed by select individuals sat in IT departments. To ensure employees feel that they are reliable, organisations should reduce practices such as camera and email monitoring when a security breach has occurred.
Change in perspective
Instead, accept what has happened and treat it as an opportunity to improve best practices and adoption of them. Keep things informal and make it acceptable for employees to engage with colleagues directly when they see poor cyber behaviour rather than encouraging them to inform on one another.
Second would be to change their perspective on security entirely. Have employees view it not as something restrictive but as a benefit that allows the organisation to deliver its promise to customers. Produce a compelling training narrative that resonates with employees, so they take pride in following best practices. It should demonstrate that by protecting assets effectively your company proves itself worthy of the trust bestowed upon it by customers to handle data appropriately. Examine ways in which you can involve all parties, including those often overlooked such as admin and back-office staff, to promote a comprehensive view of the “correct thing to do”.
Educating employees is key to having a workforce that is switched on and ready to face the various threats of today. Doing so is fairly simple and often requires repeating digestible refresher courses to personnel once or twice a year.
This includes:
Keeping things If it looks clean:
Straightforward and consistent guidelines should be in place for what employees can install and use on their work computers.
suspect, it is:
Employees should be trained to detect malicious links and attachments in email, online ads or other messages — even if the source looks trustworthy. They must know how to properly operate their spam filters, and also exercise good judgement, nipping threats at the bud.
An ounce of prevention equals pound of cure:
Assume that your staff are working within a hostile IT environment. Be proactive and vigilant about hardening your infrastructure.
Knowing which assets you have and how they are vulnerable at any given moment can reap exponential rewards by actively identifying flaws in your system before hackers can exploit them.
Set priorities straight:
Not all threats are created equally, some pose an immediate risk and must be remediated at once.
Whether their computers are set to backup automatically, or they do it on their own, staff must know and accept their role in protecting the work they produce.
Backing up their work: Communication:
Employees must remain vigilant and inform the necessary party immediately in case they notice dodgy happenings on their work devices.
It is true that in the security industry, there is no such thing as an infallible strategy.
However, through a combination of people management, robust software solutions and awareness, businesses can maintain a consistent pro-security tone, and form an all-encompassing cyber security culture that everyone takes pride in and has a role to play.
The writer is Managing Director — Middle East at Qualys,