Cyber security advice for protecting systems, data security and IT infrastructure generally boils down to a few key fundamentals. Having robust security policies. Raising awareness amongst users about cyber security threats. Regular training to ensure users / employees can spot threats and act appropriately. And the right cyber security and data protection tools and solutions in place to protect, prevent, and detect breaches and attacks.
Sounds good? Anyone who’s worked in cyber security or had some involvement in protecting their organisation’s IT, knows that it’s more complicated than that. But often the focus is on finding the right cyber security solutions, and less thought is given to users.
Your users are often your biggest cyber security threat
It’s sometimes presumed that with policies, awareness and training everyone will do their bit. But that’s assuming that humans work like the cyber security technology you’ve implemented, systematically identifying threats and taking appropriate action. Humans don’t work like that.
Telling users not to click on suspicious links or open attachments doesn’t mean they’ll follow your advice. Firstly, they might never have opened that email you sent outlining the threats that they need to be aware of. Secondly, if you warned them about suspicious links and attachments 6 months ago they may have forgotten by now or thought other threats have superseded that type of attack.
Awareness and training initiatives have to be on going. Cyber security engagement levels need to be kept high, and information and advice delivered in a way that promotes compliance. If until now you’ve relied on email to communicate these crucial messages, perhaps it’s time to shake it up a little and find alternative ways of getting the message across? Look at e-learning, video, quizzes and other digital tools, and keep regularly topping up users’ awareness so they don’t forget or ignore your communications.
Cyber security policies are only as good as the technology safety net you have in place
Policies are great at establishing what users can and cannot do, but they only have real clout when you want to expel a malicious insider by demonstrating non-compliance. These incidents are generally few and far between, most breaches of your cyber security policies will be down to human error.
While you can make an example of the poor user who clicked that suspicious link and that may serve as a warning to others, it doesn’t prevent the breach or attack from taking place. Therefore you need a safety net, technology that enforces these policies such as complex passwords, encryption of storage devices, and monitoring access data and alerting for security violations. Build this into your systems so users have to comply.
Security testing is an effective way of getting your message across
Any changes to your IT requires thorough testing to ensure you don't get unexpected results or leave systems and data vulnerable to attack. You should also test your cyber security policies, training and awareness initiatives to ensure they’re working and not delivering unexpected results.
Phishing testing users may seem like a ploy to trip people up, but the results will speak for themselves. Appoint a ‘social engineer’ to ask users for confidential information such as login details or sensitive data to test how vulnerable employees are to social engineering attacks. Check desk security to see whether employees are keeping confidential information and systems safe. A post-it note with an account number on a computer monitor, unattended computers without password protection, unlocked filing cabinets or document storage boxes, all could present malicious insiders with an opportunity.
It’s not just malicious insiders either. Social media has increasingly become a problem for organisations as employees inadvertently share sensitive information in the form of selfies, videos and team photos. That post-it note on someone’s computer could end up online in the public domain, potentially breaching compliance requirements, increasing security risks, and damaging reputations.
In this environment, who would want to work in cyber security? Fortunately, there are people and cyber security providers who do, and can help you access the right tools and processes to protect your business.
However, CIOs and business leaders need to play their part by ensuring that all users in your organisation have the support and information they need to protect the business too.
Find out more about how we tailor IT security solutions to your business needs here, or download our whitepaper on Information Governance below
Pushing the Start Button on Information Governance
Organisations today are blessed and cursed by a single word: information. With the amount of data growing at exponential rates and being generated by more sources than ever before, companies are struggling to find answers to their mounting information governance questions.