In order to determine the best way to thwart cyber-attacks, it is important to understand how the perpetrators of such crimes operate. One fact remains, which is that criminals prefer to choose the path of least resistance.
Hackers know all too well that they are able to gain valuable information through social engineering and other unsophisticated methods with at least as much effectiveness as if they were to create complex viruses and software instead. An organisation can build itself up to be the Fort Knox of cybersecurity.
However, that effort can be futile if there isn’t competent manpower backing the system in place.
Instilling a culture of cybersecurity from the ground up is the first step to increasing employees’ understanding of security issues and how their actions directly influence the level of risk to businesses.
Policies must be communicated clearly to staff members, so they understand that there is much at stake when they are handling sensitive, corporate data. Taking measures such as incorporating strong passwords and authentication methods, patching software vulnerabilities, and avoiding phishing attacks are a few of the activities that employees should be trained to find second nature.
Only through getting the basics right, will they be on the right path to protecting assets, preventing theft of intellectual property, ransomware and so forth.
How does an organisation lay down the foundation for best practices when it comes to cybersecurity? The first place to start would be developing a culture based on trust, and not surveillance.
Employees must be informed that security is a holistic effort across their organisation, not just managed by select individuals sat in IT departments. To ensure employees feel that they are reliable, organisations should reduce practices such as camera and email monitoring when a security breach has occurred.
Change in perspective
Instead, accept what has happened and treat it as an opportunity to improve best practices and adoption of them. Keep things informal and make it acceptable for employees to engage with colleagues directly when they see poor cyber behaviour rather than encouraging them to inform on one another.
Second would be to change their perspective on security entirely. Have employees view it not as something restrictive but as a benefit that allows the organisation to deliver its promise to customers. Produce a compelling training narrative that resonates with employees, so they take pride in following best practices. It should demonstrate that by protecting assets effectively your company proves itself worthy of the trust bestowed upon it by customers to handle data appropriately.
Remember that a healthy security culture does not end at your companies boundaries, whether physical or virtual. It is equally imperative to take account of employees’ security behaviour after office hours as it is within the workplace.
Examine ways in which you can involve all parties, including those often overlooked such as admin and back-office staff, to promote a comprehensive view of the “correct thing to do”.
Be direct about the behaviours and actions employees take with company information on your and their devices that directly impact the company’s ability to securely house assets.
With the cybersecurity threat landscape changing constantly, there is no such thing as possessing too much knowledge on the subject.
Educating employees is key to having a workforce that is switched on and ready to face the various threats of today. Doing so is fairly simple and often requires repeating digestible refresher courses to personnel once or twice a year.
• Keeping things clean: Straightforward and consistent guidelines should be in place for what employees can install and use on their work computers.
• If it looks suspect, it is: Employees should be trained to detect malicious links and attachments in email, online ads or other messages — even if the source looks trustworthy. They must know how to properly operate their spam filters, and also exercise good judgement, nipping threats at the bud.
• Ounce of prevention equals pound of cure: Assume that your staff are working within a hostile IT environment. Be proactive and vigilant about hardening your infrastructure.
Knowing which assets you have and how they are vulnerable at any given moment can reap exponential rewards by actively identifying flaws in your system before hackers can exploit them. This is a crucial way to protect against attacks whenever and wherever they appear.
• Set priorities straight: Not all threats are created equally, some pose an immediate risk and must be remediated at once.
By correlating active threats against exposed vulnerabilities, IT professionals can assess the situation and act accordingly to mitigate the most pressing security concerns before they reach IT assets or employees.
• Backing up their work: Whether their computers are set to backup automatically, or they do it on their own, staff must know and accept their role in protecting the work they produce.
• Communication: Employees must remain vigilant and inform the necessary party immediately in case they notice dodgy happenings on their work devices.
It is true that in the security industry, there is no such thing as an infallible strategy.
However, through a combination of people management, robust software solutions and awareness, businesses can maintain a consistent pro-security tone, and form an all-encompassing cyber security culture that everyone takes pride in and has a role to play.
The writer is Managing Director — Middle East at Qualys,