Employees and cybersecurity: asset or liability?
Have you ever clicked on an email and unwittingly unleashed a virus or malware? Maybe it was an accident, or maybe it looked like a legitimate email from a business contact so you opened the attachment. Perhaps you’ve delayed the installation of a security patch because you were too busy. Or you connected to an unsecured public wifi network when you urgently needed to send an email or file to a client.
Most of us know what good IT security practices look like, but sometimes we make mistakes and cheat a little. We don’t think anything will happen and when it does, it’s too late.
At a company level, little slips or lapses by employees pose risks and liabilities in the company’s defence against cyber threats. IT managers get around this by having multiple layers of defence. For example, they install anti-virus and anti-malware programmes to minimise phishing threats, recommend VPN use for secure network access, segregate networks to contain threats that enter the network and run programmes to educate employees about IT security.
But is this enough?
While cybersecurity has traditionally been viewed as the responsibility of IT departments, it is becoming clear that it should be the responsibility of everyone in an organisation. At our recent Hackaday event industry speakers emphasised that malware and cyberthreats are increasingly sophisticated and difficult to detect. Threats can penetrate through the initial lines of defence placing employees at the front line. As such, there is a clear need to ensure that employees don’t just follow but are an asset and active partner in a company’s cybersecurity strategy.
Here’s our three step process to engage employees in the process:
- Educate: Are employees aware of common cyberthreats and can they identify suspicious activity? Do they understand why cybersecurity is important for the company and what is at risk if there is a breach? Communicate regularly and conduct training sessions on the latest cyber threats, best practices to observe and suspicious activity to watch for.
- Empower: Make it clear that everyone in an organisation has a role in preventing, responding and stopping cybercrime. A chain is only as strong as its weakest link. It is no longer just “the responsibility of the IT department” but instead a collective effort by everyone to ensure that the company is protected and able to respond to threats quickly.
- Equip: To start, provide tools to help your employees practice good IT security practices. For example, if teams often work remotely and out of the office, invest in a good VPN service and provide encrypted data storage devices do that employees don’t have to “to cheat”. If you have a BYOD practice, have an endpoint security solution so that your company’s cybersecurity extends to the mobile devices of employees.
Educating, empowering and equipping employees to be part of your company’s cybersecurity strategy is a necessity especially for companies with limited IT resources and personnel. All hands on deck count.
In our upcoming posts, we will touch on the importance of endpoint security and what small-medium business without a CISO, CSO or dedicate IT security team can do to strengthen their defence against cyber threats.
The Connected Shield team
Next blog: SMB Cybersecurity: Five myths debunked
Previous blog: Need to plug cybersecurity gaps? Don’t forget the fundamentals
