If the solution to the problem of how to get good cyber security was packaged in a box and sold at Wal-Mart, IT professionals would have nothing to worry about. They could arrange for employees to pick up their security package when activating their new smartphones.
Unfortunately, getting good cyber security isn’t that simple. Good cyber security practices aren’t purchased in a store: they have to be taught. And the sad reality is, most employees aren’t receiving a solid cyber security education. In fact, according to a survey commissioned by Sungard Availability Services*, IT professionals believe that employee behavior is one of the biggest threats to company cyber security efforts. The biggest security-related concerns are employees who are careless with their mobile devices and employees who have poor password hygiene.
“The weakest link in security is between the keyboard and the seat,” said Kevin Epstein, Vice President of Advanced Security and Governance with Proofpoint. “There are few security systems that can withstand the efforts of a user with a mouse who's determined to click. Many if not most of the major breaches in the last twelve months have been initiated by a user clicking a link in a phishing email. Education can reduce -- though not eliminate -- such behavior.”
There are several reasons why it is important to educate employees on cyber security. The first is to protect organizational data (e.g., new and current designs) and information related to customers or suppliers, said Gary Griffith, Faculty Member with the School of Information Systems and Technology at Walden University. The second reason is to prevent downtime or loss of productivity due to attacks on the company’s technical equipment. “Employees should understand or know about the harm these attacks can cause, including shutting down facilities for days while the IT staff tries to remove the malware and bring all the systems back online,” Griffith explained.
Griffith likes to mix real-life examples along with the different types of cyber-attacks in his cyber security education strategy. This allows users to see what those attacks are doing to gather information and how they can affect a business. “I also like to include why it is important that employees understand the consequences of their actions,” he added. “For example, if it was reported in the news that customer data had been stolen, what would happen to the company’s ability to attract new customers or keep current customers? What would happen to employees’ jobs and careers if leadership had to pay fines for the loss of customer data? It is important to let employees know that what they do daily matters, because they are ultimately the ones that can prevent most cyber-attacks.”
Teaching the basics about what a cyber security threat is and how it does damage shouldn’t be done in a passive manner. Security education should be hands-on and targeted, Epstein said. “Too many organizations apply a blanket policy or standard training -- which bores the sophisticated users and fails to assist the less-technical users. The best education often involves an IT organization understanding which users are most prone to clicking on what lures, then creating focused education around those areas -- for example, 'phishing' their own organization.”
Overall, the best security practices come down to common sense, not sophisticated technology, according to Ashley Schwartau, Creative Director with The Security Awareness Company. Schwartau uses the following best practices in her security education:
- Incident response - knowing how and whom to report potential security incidents to.
- Passwords - knowing how to make strong ones, and changing them regularly.
- Malware - understanding the main types of threats and how they can be avoided.
- Safe Surfing - remembering that you are what stands between the outside world and the inside of the company, and that you represent your organization when online.
- Phishing and Social Engineering - recognizing phishing attempts and social engineering attacks.
- Mobile and the Cloud - treating mobile devices as you would any computer and understanding that just because files are stored in the cloud doesn’t make them immune to security threats.
- Preventative Care – backing up regularly, installing anti-virus software, and patching software and operating systems as soon as prompted.
- Non-Technical and Physical Security – shredding sensitive documents when no longer needed, requiring identification badges for employees and guests, and keeping track of all devices.
- Privacy - understanding how identity theft happens and how you can protect against it.
- Policy - knowing and understanding security policy as well as the consequences of not following policy, and how to quickly find policy when in doubt.
In the end, the best security education is something that employees will regularly practice. The more simple and straightforward it is, the more likely they’ll remember to be safer on their computers.
*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.
Other Posts in This Series: