March 27, 2014
Over the last decade, Cyber Security has become a national and global concern. With all the positive aspects of access to information technology, comes the inevitable ways to exploit the technology.
It is very difficult to mitigate security breaches, and more specifically, the threat from insiders.
“Technology and policy considerations can often dominate discussions of cybersecurity, overlooking the fundamental human element of the issue” (Microsoft- Developing a national strategy for cybersecurity White Paper)
This blog post highlights the ways that everyone in your organisation can play their part in protecting your business from external and insider threats.
1. Education, education, education
You cannot rely on technology alone to protect against cyber threats; your organisation has to combine its people, processes and technology to reduce the likelihood of a potential breach and the impact of any actual breach, should it occur.
There are many obstacles to effective employee education – your have a diverse workforce that joined the organisation at different times and came with different skill sets and technology understanding. This diversity makes it hard to ensure that everyone has the same level of cyber security awareness. Competing budget priorities only add to the challenge. To help prepare your workforce, we offer some advice on how best to educate them on cyber security:
2. Robust Information Security Policy
Produce user security policies covering acceptable & secure use of the organisation’s systems. Security policies should be clear, concise, and accessible to everyone and understood by all in your organisation.
A robust Information Security (InfoSec) policy and regular, mandatory training for all staff on information security is imperative.
Provide specialist training for specialist roles, for example the incident management team need to be trained on how to produce & test incident management plans.
There must be a strong password policy in place so employees have to use strong passwords, change them regularly and not share them with anyone.
There is a balance to be found between a policy resulting in passwords being easy to crack and an overly complex policy which means people will forget their passwords and lead them to select passwords following the same pattern. ZoneFox’s CTO has written an article about what happens when a strong password policy becomes an Organisation’s Achilles heel.
If you want passwords that are difficult to crack, don’t ask your users to remember them all – consider using a password safe which provides consistently complex passwords across your online estate.
Clear, documented policies are indispensable however users often read these in the first week, and never look at them again.
Dumping information on people all at once is not an effective way to ensure that they remember it. Instead, train people regularly in short bursts of ongoing training which should be closely related to their specific role to avoid them feeling disconnected, unmotivated and uninterested in learning about cyber security. Can you remember your most boring lesson at school? How much of the content do you remember now? That is how most people feel about your cyber security training!
Remind them regularly – some security applications can regularly prompt users with one or two questions about your security policy so that they are constantly reminded of the key messages. This ‘little and often’ approach ensures that the lesson isn’t just a ‘once a year thing’ that can be forgotten the next day.
Is your current education working? Ask yourself this question “Are you certain that every employee knows that they are not meant to put sensitive information on a USB?” Do you have any security solutions that can tell you if people are putting sensitive information on USB keys?
In addition to the above, encouraging employees to check online safety sites such as CyberStreet can help cyber security awareness.
Protecting against insider threats is a company-wide issue that requires real action. You have to have support from the very top of the organisation and across all departments.
Cyber Security won’t work if the Board are too busy and the Sales Department (or anyone else) finds it too much of a hassle. Everyone has to understand that business success includes making sure that key data isn’t lost and the company isn’t the subject of a cyber-attack.
As we have previously highlighted in the article ‘Let’s Get Real about the Reality of Cyber Crime – A Call to Action for UK Company Directors’, cyber security is not solely an IT issue but this is a fact which UK businesses have been slow to recognise.
Continual feedback is very important. Maintaining an open dialogue with all employees about online safety and security will allow the principles of your security policy to be more easily understood by all employees, whether they have been with the organisation for years or are new to the workforce.
The trick is to make people care about cyber security by creating a sense of ownership. The challenge is to create a culture of confidentiality where all employees feel it’s their responsibility to protect sensitive information. There are many forms of insider threats which can be safeguarded by implementing a solid culture of confidentiality.
As the Edward Snowden scandal highlighted, if a disgruntled worker is determined to unearth critical information, it is not that hard to do so. Snowden was an IT contractor, but he gained access to files he should not have, by simply asking his colleagues to share their passwords.
If you are looking for more advice on cyber security issues, read best practices from the government on “The 10 Steps to Cyber Security”