Employees who create vulnerabilities are a cybercriminal’s best friend for breaking through an organization’s security defences. While technical security safeguards are important, employees continue to be the weakest link when it comes to protecting corporate information from cybercriminals of various shapes, sizes and motivations.
- Disable or ignore company security measures such as anti-virus software and software firewalls.
- Click on malicious links in phishing emails from obviously dangerous domains.
- Open email attachments containing macros that launch malicious code.
- Download files from dubious sources that install malware on devices such as laptops, tablets and smartphones.
- Hand over valuable credentials, typically usernames and passwords, to crucial systems or valuable services in response to seemingly credible requests that are fakes.
- Make wire transfers to fraudulent bank accounts in the mistaken belief they are following direction from their superiors.
Organizations need to wake up their employees to be more aware of the risks and be more vigilant in protecting data and the computing infrastructure. If you think I’m over-stating the risks of phishing, consider this Microsoft discovery. Here’s a suggested security awareness program focused on employees.
Implement a computing use policy
- Develop an acceptable use policy for computers and the Internet.
- Ensure the policy includes a prohibition on sharing credentials.
- Have every employee and contractor review and sign the policy.
- Communicate that violations of the policy will be noted in every employee’s personnel file and will be a factor in performance evaluations, calculating bonuses, promotion considerations and possible grounds for terminations.
Hold security awareness briefings
- Develop a security awareness briefing.
- Have every employee and contractor attend the briefing annually.
- Illustrate what security risks actually look like on email and on the web.
- Include discussion of the learnings derived from recent internal and industry security incidents.
- Include a review of the acceptable use policy.
Minimize system access
- Create employee and contractor access profiles that restrict access to just the functions they need.
- Minimize the number of full-access userids.
- Monitor system access and usage.
- Expire network and application passwords regularly; every six months or more frequently is best.
- Operate software that insists all passwords be created as strong.
- Implement three-factor authentication for sensitive systems and for remote access.
- Insist that all smartphones use the passcode feature.
- Remove access of departing employees and contractors.
Include the supply chain
Most organizations now allow suppliers, distributors and customers limited access to some of their systems. Some of the headline-generating security breaches gained access through poor supplier security management practices.
Organizations should encourage or insist that their suppliers and distributors operate a security risk reduction program like the one described in this article.
Investigate security incidents
- Investigate security incidents thoroughly.
- Use the findings from investigations to strengthen security management practices.
- Be restrained in assigning blame to avoid encouraging cover-ups of security incidents.
Conduct annual audits
Organizations should conduct annual audits to provide management with assurance about how well the security awareness program is working to minimize risk of data breaches. The audit scope should include a review of:
- Violations of the acceptable use policy.
- Appropriateness of system accesses.
- Frequency of entry of inaccurate passwords.
- Comprehensiveness of security incident reports.
- Participation in security awareness briefings.
If you want to engage a vendor to help you improving security awareness, read the Gartner report titled: Magic Quadrant for Security Awareness Computer-Based Training.
Can you share your experience improving security awareness in your organization?