Cyber Security Awareness Month is often seen as a burst of news, videos and blogs aimed at consumers. But CSOs and infosec teams also have a role to play during October to ensure their employees are keenly aware of online dangers.
”You have to look at what is good cyber hygiene when you’re dealing with users, particularly with user-targeted threats,” advises Kevvie Fowler, partner and the national cyber response leader at KPMG Canada. “You want to make sure there’s awareness around ransomware, with phishing and executive impersonation fraud.”
“It’s also critical the C-suite speak to employees about what do to if they do identify something they think is malicious. You want to make sure you have some sort of notification process, like a 7 by 24 support desk, so users understand how and who to report to.”
As a guideline Public Safety Canada has suggested a number of themes C-suite leaders, technology associations and others can use to raise awareness. This week features the launch of Cyber Security Awareness Month initiatives, with a focus on general cyber security. To start organizations can link to the federal department’s ongoing Get CyberSafe Web site.
There’s also a toolkit infosec pros can use to spread the word. Some of it is aimed at consumers, but experts remind that when employees leave the office they have to engage in safe online practices, too.
In the following weeks groups will publish online material for distribution on the themes of cyber security for small and medium businesses, cybercrime, the Internet of Things and related connected devices and the importance of cyber security to critical infrastructure.
In addition to stressing the standard best practices – including take care when opening attachments, verify who email has come from by looking closely at the sender’s actual address, checking hyperlinks before clicking, choosing safe passwords and not re-using passwords on multiple sites – Fowler said there are other areas the C-suite should consider into messaging this month, or adding to their services if it isn’t already there.
“A lot of users [not just executives] are targeted with extortion,” he noted, either because of an internal data breach or information an attacker gained from another attack. So there should be a person who staff can report to – a manager or employee assistance, for example.
An anonymous whistleblower phone number where staff can report suspicious activity of a co-worker would be of benefit. That would act as a deterrent, Fowler said, to someone thinking of doing something wrong.
Finally, the C-suite should be able to face employees and promise that it has taken steps to protect the sensitive personal data the organization holds on them.
The situation isn’t all bad. “I think users are generally smarter today than they were years ago, and that comes down to the good work organizations are actually putting in to make sure they have awareness campaigns in place,” says Fowler. He’s seen recent research suggesting on average eight per cent of users wrongly click on malicious links in corporate phishing tests. That’s down significantly from a few years ago, he pointed out.
“At the same time the threats are more sophisticated, and they do a better job of targeting employees.”
Finally, the C-suite has to deal with those — including upper management — who maintain that cyber security is the IT department’s job. “It comes down to re-enforcing that cyber extends beyond technology. And it’s not just one department’s mandate. It comes down to each person within the organization, whether they’re at work or at home.”