Employees are of course your company’s most valuable asset, and grow revenue, build relationships with clients, and, make the business function. They also have an invaluable role to play in the firm’s security perimeter.
Cybercriminals, however, are more likely to view your employees as the path of least resistance into an organisation. Indeed, two of the top causes of security breaches are careless or uninformed employee actions and phishing or other social engineering. Cybercriminals know that, and they use it to their advantage.
With a robust security education programme in place, your company can protect its most sensitive information by ensuring cybercriminals cannot break through your employee firewall.
With a lot of customers and prospects asking about cybersecurity best practices for their workplaces, here’s a summary of some of the main ones.
What is cybersecurity?
Cybersecurity has many definitions, and the term is broad-ranging. For this discussion, cybersecurity is the practice of defending systems and data from malicious attacks, including physical security and awareness training.
What type of cybersecurity awareness programme would be best for our business?
Cybersecurity awareness programmes are not one-size-fits-all. Every organisation will have different needs depending on their business strategic goals, objectives, risk analysis, and even risk appetite. So, it’s useful to ask how cybersecurity helps the primary business of the organisation, and if it meets your particular requirements.
From a cybersecurity perspective, what should companies think about when securing their workplace?
Organisations often overlook three areas when thinking about cybersecurity:
- The role of IoT: The well-being of employees should be at the forefront of every organisation’s plans for cybersecurity. This may not seem intuitive when thinking about cybersecurity, or very cyber to most. But the increasing prevalence of Internet of Things (IoT) devices has blurred the line between physical security and cybersecurity. Wireless security cameras that are managed through a Web interface or a smart lock that is opened by an employee’s smart phone — when do things stop being physical and start being cyber? Many companies have traditional physical security and environmental controls in place, but these groups are disconnected from the real problem solvers. In an IoT age, cybersecurity and IT teams are responsible for remediation efforts. In the workplace, these systems often share the same network resources as the rest of the business. Connecting IoT devices to the main network is risky because it provides an entry point for potential attackers to access corporate network resources. Vulnerable systems can also be used to access poorly secured industrial control systems (ICS). For organisations that run critical infrastructure or manufacturing on ICS, an in-depth search of all systems involved should be performed. These networks should also be included in any cybersecurity efforts going forward.
- Situational awareness of assets and data. Most cybersecurity frameworks rest on knowing what assets (including data) an organisation has: the systems and applications that process the data, who has access, and where it resides. A cybersecurity risk assessment based on known assets will allow for a more thorough way to determine viable threats. This enables an organisation to focus its cybersecurity resources where they matter most.
- Cybersecurity awareness and training: Awareness extends beyond discovering and cataloging assets. Awareness should be a continual effort to educate employees on policies, current threats, and how to deal with those threats. Special focus should be paid to social engineering, which is still the most common and successful attack vector. Organisations should offer training geared toward certain roles, not just generic awareness training. Make the training personal and fun. Tell stories and play educational games that will support awareness concepts. An awareness program should be anything but a test. A good cyber programme features a mixture of in-person/instructor-led, online/self-paced modules, scenario-based, and surveys. Always gather metrics to show successes and weaknesses in security awareness programs.
Our IT team is well informed about cybersecurity. Why should they undergo more training?
Regular education on cybersecurity hygiene should be common practice across the organisation. Employees are often referred to as the “weakest link,” but in actuality, they are the most common attack vector and should be treated like any other attack vector in the organisation.
We have run a few training programmes already, but none seem to be effective. What should we be doing?
It’s no secret that traditional training programs typically fail to achieve the desired behavioural changes or motivation. To build an effective educational programme, there has to be an understanding of what lies behind any learning and teaching process. For a successful cybersecurity awareness program, the key is to create a culture of cybersecurity — one that motivates employees to continue secure practices in their daily lives beyond the perimeters of the office. After all, the goal of awareness training is not only to deliver knowledge but to change habits and form new behaviour patterns.
The Kaspersky Security Awareness products are a good place to start or to fill in gaps in an existing programme. The computer-based training products draw on modern learning techniques: Gamification, learning-by-doing, and repeated reinforcement help to build strong skills retention and prevent obliteration; and emulating the employee’s workplace and behaviour draws users’ attention to their practical interests. These motivating factors guarantee that the skills will be applied.
How often should employees be reporting suspicious activity?
Cybersecurity teams would rather have employees report a false positive than wait until something “suspicious” manifests into a large threat. But before employees can report suspicious activity, they need to be able to identify what is considered suspicious.
A robust cybersecurity awareness training programme and its reinforcement materials should define suspicious incidents through examples, and how and when to make a report. Employees should then be encouraged to report any activity that may seem suspicious. Different procedures exist for incident reporting. Some organisations use the IT service desk, others have an email that generates a ticket for the security teams, and some may require employees to report the incident to their managers.
Once employees are knowledgeable in identifying and reporting suspicious activity, the next step is to establish incident response policies. Incident response policies should outline procedures and employee responsibility when dealing with an incident.
The message to emphasise is that it’s easier to nip something in the bud even if you’re not sure if it’s a cyber threat than to manage a crisis in full bloom.
How does BYOD impact cyber security policies?
Bring your own device (BYOD) has become an increasingly popular approach in UK business. Employees get to enjoy the flexibility of choosing when to work and what device to work on, and employers benefit from reduced support costs for IT assets.
However, a poorly managed BYOD policy can put company data at great risk. Allowing employees to use their own devices for work means their devices are “out of view” of traditional security controls.
And while not all businesses need end-to-end BYOD policies, it is crucial that they establish safety policies and procedures. For example, they need to segregate work and play. Company data should be processed only by applications that are vetted and secured by the organisation. This may seem challenging when users are on their own devices. Thankfully, mobile device management (MDM) tools exist. MDMs can segregate and secure company data, vet and approve applications, and track and remotely wipe devices of all company-related information.
Where can I find more resources for continued education on cyber security?
Jokinen: Kaspersky Lab offers various resources for maintaining ongoing awareness of threats and incidents in the world of cybersecurity. You can read about some of these, or contact Complete IT Systems using the details below to discuss your requirements and for more advice about the solutions on offer.
- Threatpost is a leading source of information for news about IT, business security, and cybersecurity analysis.
- Securelist provides news, reports, and fascinating research in the cybersecurity industry.
- The Kaspersky Lab threats site is constantly updated with the ever-changing landscape of threats and vulnerabilities in cybersecurity.
- The Cyberthreat real-time map is an interactive tool that visualizes real-time cyberthreats around the world.
- And, of course, Kaspersky Daily, our main blog, has posts relevant for businesses and consumers.
Want to find out more?
As Kaspersky Platinum Partners, Complete IT Systems can offer you expert advice on the solutions and how they could be effectively deployed in your business.
To find out more please call us on 01274 396 213 or use our contact form and we’ll arrange a good time to call you back.