Improving Cybersecurity through Staff Awareness
Improve Cybersecurity through Staff Awareness
Information security can be tricky. Spending millions on improving security posture is not enough to prevent every potential disaster. In fact, organizations hit by security attacks are not always the ones with loose security. Alternative reasons for attack include bad fortune on a particular day, a newer form of attack, an outdated control, etc. However, an enterprise’s greatest vulnerability is often the poor security awareness of enterprise employees.
Employees and staff must be made aware of the security environment around them. Awareness is not financially expensive, especially when compared with installing the latest security controls around the enterprise premises. On the other hand, awareness is very challenging in terms of planning, time management and implementation to ensure employees are well aware of cybersecurity and prepared to take on new, daily challenges.
Introduce employees to general security awareness
Creating enterprise security awareness among employees begins with highlighting the need for individuals to secure their own interests. People will be most interested in first hearing how they can secure their own devices, before they will show any interest in making enterprise resources secure. Moreover, an employee who is personally security conscious is more likely to better understand the security needs of the enterprise and to positively engage with and follow enterprise standing operating procedures.
Develop regular cybersecurity procedures
Cybersecurity is not a one-time show or something to be displayed on audit days. Rather, cybersecurity precautions must be adopted as daily routine. Properly implementing cybersecurity, with a precautionary attitude as second nature, should result in a lifestyle change for employees.
Management and the security department should engage directly with employees to convey peace of mind. Eye-catching posters displaying security tips should be displayed in key places, and the content should be changed on a regular basis. Management should encourage employees to take necessary security measures by providing them with incentives in the form of small prizes.
Conduct routine checks
In addition to routine audits, top management should routinely check on employees regarding daily cybersecurity matters. Specific days of the week may be earmarked for specific checks like clear desk policy, shredding of disused documents, custody of USB drives, etc. Alternatively, surprise checks on specific enterprise security aspects may sometimes be conducted.
Periodic company newsletters should always include some cybersecurity content, even if the content does not exactly pertain to the specific enterprise. For example, a short article on securing your mobile phone to better protect your private data would be enough to help build a cybersecurity mindset for employees. Remember, people who are security cautious in their personal lives are likely to also be cautious about enterprise security matters.
Organize formal training sessions
Employees and management must receive formal cybersecurity training. Training frequency depends on the budget and the relevant need. While training may seem burdensome, it both ensures a security-cautious mindset for all employees and generates for all departments a sense of practicing cybersecurity procedures. Important areas where employees, including managerial staff, must be trained include:
- Safeguarding against social engineering attacks
- Authentication and password management
- Use and custody of removable media
- Social media and web security
- Mobile device security in the workplace
Another important aspect of cybersecurity is an enterprise’s response to untoward security events. Precautionary measures only reduce the likelihood of incidents; they cannot assure that such events will never happen. Reaction speed and ability are critical to curtailing the damage and reducing losses.
All employees must be aware of incident reporting, management and handling procedures. While security breaches or attacks may have to ultimately be dealt with by security experts, even junior staff may be targets or observers of such attacks or incidents and, therefore, may need to be the organization’s first line of defense.
Cybersecurity cannot be left to the security department alone. Each employee is part of the enterprise’s defense against security threats. If employees are well aware of the security threats and risks, they are likely to be more cautious about their routine procedures. On the other hand, unaware employees will present a soft target to attackers.
About the Author
Abdul B. Subhani is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard and the recipient of multiple other advanced IT credentials. Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.