Employees are many companies’ greatest asset. In most cases, the workforce is also the most vulnerable layer of an organization’s network.
IBM’s 2014 Cyber Security Intelligence Index reported that 95 percent of all security incidents involved human error. 95 percent! That’s an attention-grabbing number that attests to the critical need for companies to provide good, thorough, ongoing training for every member of their workforce, from top to bottom.
To remain effective, training related to network safety must be updated regularly to keep up with the changing nature of cyber threats, according to security experts at SDN Communications and elsewhere. In addition, employees should be periodically tested to make sure that company policies and procedures are understood and being followed.
Attacks on business networks typically succeed because someone within an organization has been lured into clicking a bad link in an email, visiting an infected website or otherwise introducing a suspicious application to a corporate system.
“Social engineering is a big way for hackers to get in,” says Chad Pew, manager of IT for Sioux Falls-based SDN, the leading regional provider of broadband connectivity and cybersecurity services for businesses and institutions.
In the context of information security, social engineering typically refers to the trickery and human manipulation that hackers sometimes use to gain access to electronic information.
Pew periodically tests SDN’s more than 150 employees by, for example, sending out fake emails with a suspicious but inviting informational link. Then he monitors how many employees click the link. The objective isn’t to shame employees who fell for the trick. It’s to help teach them to avoid risks.
A good way to encourage responsibility is to reward good behavior. Congratulate employees who respond correctly, for example.
IBM’s Cyber Security Intelligence Index for 2015 also reported a discomforting figure: More than half of all attackers – 55 percent in 2014 – were malicious insiders or people acting inadvertently. In other words, trusted personnel are to blame for some attacks. Obviously internal vigilance is important, too.
Companies should monitor and control who has access to areas with sensitive equipment or information, for example. Are employees, vendors or customers roaming parts of the building or grounds that they shouldn’t be in?
Consider requiring employees to wear and use badges to enter a building or room. Also consider whether a layer of biometric verification is needed to protect secure locations. Don’t leave doors open that should be locked.
Once again, employees can help provide internal protection. They should be trained to notice and report suspicious activity.
Employees also play critical roles in maintaining good security at workstations. Strong passwords are an important element of workstation security, Pew says. They should include a mix of uppercase and lowercase letters, symbols and numbers, and they should be changed often to discourage hacking, he says.
Companies also should regularly install and update software and antivirus protection. A good spam filtering system is desirable, too. Consider reviewing who has administrative control of a network, or portions of a network, and then make sure that number is limited.
At SDN, employee training also addresses human situations.
Cassie Baldwin, contact center manager at SDN, also leads the company’s business continuity planning. In addition to dealing with emergencies such as winter storms, the company’s staff must be prepared to deal with other emergencies, she says. Once a year, for example, the company brings in a law-enforcement officer to talk to employees about what to do in case there is ever an active shooting incident in the neighborhood.
“Your body can’t go where your mind has never been,” she says, quoting advice she picked up in training. “You have to have something to draw on to know how to react.”
That’s a good summation of the value of training, in general.
This was the third in a series of blogs about why companies and organizations should take a layered approach to cybersecurity.
Next, we’ll look at protecting the edge of a company’s network with equipment such as firewalls.
Next blog in the series:
Previous blog in the series: