Many organizations place the responsibility of cyber security on the shoulders of their IT departments, but effective security must be a company-wide endeavor. Every security policy in the world can’t help if everyone is not actively doing their part. Leadership and all members of the executive management team need to be 100% committed to security. That commitment must radiate throughout every level of every department within the organization.
All too often, organizations place security as a lower priority when compared to other projects or goals. Implementing proper security controls can be costly, time consuming, resource intensive, and involved. So it’s not uncommon for organizations to take the stance, “Well, we haven’t had any issues up until this point, so it can wait a little longer.” The major issue with this thought process, however, is the employee—the human element.
According to the NIST guidebook: “The largest ‘attack surface’ of the organization is you and me—the people who perform common functions: Leadership, Planning, and Governance; Sales, Marketing, and Communications; Facilities, Physical Systems, and Operations; Finance and Administration; Human Resources; Legal and Compliance; and routine Information Technology operations.” This rings even more true when pertaining to online cyber security—specifically Web and email use.
Many organizations now allow their employees some leniency when it comes to using corporate property to access the Internet for personal use. Accessing social media, personal email accounts, personal device use, and even online shopping sites from within the corporate environment are becoming more and more popular. In addition, in this digital world we now live in, companies are leveraging social media more and more for advertising, brand building, and information sharing. As a result, employees are on social media more frequently. This opens up a whole new avenue for attackers to attempt to infiltrate an organization by use of various social engineering tactics, which have unfortunately been proven to be quite successful.
Phishing, baiting, and ransomware tactics are a few of the more commonly used attack vectors. Whether you’re on social media for work, personal research, or simply surfing the Web, always think before you click. Do your research ahead of time and remember to visit HTTPS sites through a secure search engine, not via email or social media links. Ask yourself “Who is sending me this email, and why?” “Would my friend or colleague actually send me something like this? Maybe I should call them first and verify.”
Attackers will commonly compromise the email of an individual and then use their address book to send out additional phishing or ransomware content to that individual’s known contacts. This “waterfall” effect can saturate a much larger target surface quicker. After all, it only takes one individual to acknowledge the attack and continue the spread. When in doubt, always ask a member of your organization’s IT or security department about anything potentially suspicious.
The best way any organization can minimize their risk is by adopting a cyber security culture and mindset. Support needs to start at the executive level and filter throughout the organization. Your organization’s leaders set the tone. Nothing is more significant in affecting awareness than leadership. Leadership, by example and emphasis, becomes the basis of a cyber-secure culture. In practice, this means the example of each leader, in addition to their emphasis on employees, should be to embrace cyber security education, awareness, and best practices.
Once leaders are involved in fostering and participating in a cyber-secure culture, the next step is to implement employee awareness training. Educating the employee on the proper “do’s and don’ts” of cyber security is paramount to minimizing risk and maintaining day-to-day continuity of operations. By training and informing your employees about known threats, proper process, and procedures, an organization can greatly reduce their overall risk.
Every organization should have a security awareness program, and at a minimum that program should contain the following:
- Formal classes on how to keep your environment secure, including password, email, and Web use guidelines
- Information on corporate policies, procedures, and where to find them
- Education about recognizing suspicious links, emails, and activity
- Information about the high threat posed by pirated or legal downloads
- What to do if you receive a suspicious email
- What to do if you lose your corporate or personal device containing corporate information
- Contacts in case an incident occurs or if clarification is needed
At a minimum, covering these aspects of security in a formal setting will help protect your business and ensure that every person within the organization is doing their part when it comes to cyber security.
However, remember doing your due diligence goes beyond the workplace. Practicing this mindset in your home, personal, or even in public environments goes a long way in keeping your information secure. Many individuals believe that they are not targets at home, while away for vacation, or on travel. While you may not be a normal attacker’s intended target, many of them are trained to exploit any targets of opportunity—personal or otherwise. After all, a little personal information goes a long way with cyber crimes.