By Help Net Security on 20 December 2016
cyber risk, risk management, security awareness
IT security is usually focused on how to prevent outsiders with malicious intent from causing harm to your IT systems and data. While this is a valid concern, people within organizations who simply do not understand the consequences of their everyday habits and behavior on company computers pose an equivalent if not greater risk.
Every person within a company that has access to information is a gateway for data exfiltration. This is why education for ALL employees that encourages following best practices for IT security safety is extremely important to implement within organizations. So where should you start? Take 3 easy steps.
1. Awareness about the ways hackers get into your organization
The average computer user has most likely heard all the keywords – virus, firewalls, malware, phishing, ransomware, insider threats – but what it all means has to be explained at the basic level and the consequences need to be emphasized. Of course, the biggest emphasis should be on how hackers can use them to get access to company data. From experience, it’s always best to use real-life examples.
Case in point: Recently, I worked with a university whose administration staff received an email to their university emails to update their account information and passwords. It was a phishing scam that provided the hackers with multiple administrators’ passwords. When I further investigated the issue alongside the IT security team, I realized people didn’t understand that it’s not as easy as just changing your password again and that it’s not someone manually digging through their information.
The department put forward an initiative to explain how phishing scams work and that the consequences are someone has all the data you had access to – including people’s personal data. In particular, most likely due to the high success rate of the hackers the first time, this university’s administration team was targeted multiple times afterwards. The hackers, however, failed to extract any additional information due to the administration’s teams new set of knowledge who reported each phishing e-mail afterwards and started a university wide alert every time they received a suspicious e-mail.
2. Constant reminders to change people’s bad habits
When employees first start it’s important to give them a list of the top 10 rules they should follow regarding IT practices. If you know the rules that are violated the most, it’s suggested that those should make the top of your list. If you don’t then a good way to find out is to use monitoring techniques that will help you to collect this data. There’s a high chance you’ll be surprised by the type of rules people violate. Some examples of no-no’s can include attaching company files to personal e-mails, putting data on non-encrypted USBs, uploading files to cloud drives etc. Yearly training and reminding sessions should also be implemented as a part of company strategy.
One of the most effective tactics is to inform users that they are violating policies while they’re attempting to take the action. This approach is extremely important for organizations who do not block particular actions because it can interfere with everyday tasks. For example, if someone in the customer chat department was to send a file via instant messenger, your IT team could set up a technology interface or leverage solutions that automatically alert the violating staff member – with a message saying that the action is not recommended.
Based on my own research with practitioners, in 72% of cases this was found to be enough to deter the user from completing the action. Furthermore, my research showed that 57% of actions that were going to be taken, could have led to data exfiltration.
3. Lead by example
Management can scare employees into following company policies but sometimes they don’t scare themselves enough. I’ve come across hundreds of companies where statistics show that management violates more IT policies than the average employee.
The issue here is, if a manager violates a company policy while interacting with their employee, there’s a higher chance that the employee will engage in the same activity at some point at their time with the company. It’s also important for management to dig into why they’re violating the policies. If it’s because they’re lazy then their behavior simply has to be changed. If it’s because it’s making it hard for them to do their job – the rule has to be evaluated. Is it making it hard for those under management to do their job as well? Employees will find ways to circumvent policies if they’re inconvenient.
Showing employees that their concerns are a part of the IT security strategy is important because it diminishes the feeling that the policies are implemented to restrict them. In my experience, companies that were able to reduce violations by their management by 10%, were able to reduce their overall company violations by 27% in just three months.
Ultimately your organization is only as strong as your weakest link – and your weakest link may be someone that simply didn’t know not to click, send, download etc.
Kohen, Isaac (2016). Mitigating internal risk: Three steps to educate employees. Help Net Security. Recovered on 6 January 2017, from https://www.helpnetsecurity.com/2016/12/20/mitigating-internal-risk/