Maksim Kabakou - Fotolia
Several years ago, a software company started requiring cyber awareness training for all of its employees.
The training focused on identifying social engineering attempts, avoiding phishing emails, reporting suspicious behaviour around the office premises and even a specific instruction on secure and proper use of USB sticks. Two weeks after the training, the security operations team placed USB sticks around random places inside and outside the office.
Despite the training and without thinking twice, many of these employees grabbed a “free” usb stick and plugged it into their computers. Cyber pawns: caught! They were quickly identified for additional cyber training. Was this embarrassing for IT professionals? Absolutely. But it was a necessary move for their employer.
Cyber training has quickly risen to the top of the list for chief information security officers because employees are often regarded as the first line of defence in many companies.
So, just how much responsibility should the average employee have for being a pawn on the chessboard of cyber defence?
Most organisations do not solely rely on their employees for security. A smart organisation will know many layers of security are needed to ensure criminals cannot get into the organisation. Locking all the ports or doors and then creating additional safety net layers is the type of security many companies are implementing today.
But employees bear the same responsibility for being cyber-aware as they are for complying with bribery laws, for example. Cyber training has become mandatory, and while employees bear the burden of spotting cyber traps, companies have the burden of implementing layers upon layers of defence and continuing to invest time, energy and resources into training its employees.
Employee awareness and education
Employees have an increasing responsibility to be aware, reduce risk and properly report potential incidents as quickly as possible. Those involved with sensitive, critical and valuable information – especially in highly regulated sectors – bear even more responsibility.
Read more from Computer Weekly’s Security Think Tank about security controls
- Avoiding the blame game.
- Security is a shared responsibility.
- People are part of security, but should not be a key element.
- Employees are in the cyber firing line, so educate them well.
- Is a “cyber-safe working environment” a reasonable target?
- Employees should only have to worry about social engineering.
According to industry trade association CompTIA, 58% of 350 companies surveyed offer security training during new employee orientation. Many companies offer ongoing training, exercises and tests like the ones described above. While security training used to be a key focus for IT employees, now mainline employees across many functional areas are undergoing at least some form of security training.
So what do employees need to know? Well, there is plenty, but here are a few top tips.
Multi-factor authentication and network access control for corporate laptops
Employees can potentially bypass access using their own mobile devices. Avoid doing this as much as possible; and understand the risks they are introducing into the corporate environment.
Cloud-based productivity tools
One example many organisations are dealing with is the use of cloud-based productivity tools. Employees may often use such tools for an urgent project need, but again introduce risk into the corporate environment.
If you see something, say something
It is the familiar New York physical security campaign [and UK National Rail campaign: See it. Say it. Sorted], but it also applies to cyber security. Employees need an easy way to escalate potential issues to the appropriate IT or security team. There should be a “hotline” or easily identifiable notification button in email distinct from a normal IT trouble ticket system.
Brown bag it
As a company, offer informative lunch-and-learn sessions to ensure employees have the ability to ask questions face-to-face. Many companies also gamify their security training and offer frequent training updates with role play-type simulations and scenarios. Sometimes, a little friendly competition can also work in getting people to pay attention to cyber training.
Many companies are choosing to participate in cyber readiness exercises. These exercises should be expanded beyond just risk, security and IT teams to include customer and client-facing groups that may handle critical calls during potentially publicised incidents and, of course, your public relations teams. The more cross-functional employees are involved in realistic simulations, the more cyber readiness will percolate throughout the organisation.
So, will your employees be cyber pawns or will they evolve into cyber heroes helping to protect your organisation and its critical assets?
It is possible to train cyber heroes, but don’t forget to lead the way and create those safety nets.