Your entire staff is at the forefront of cybersecurity. They are the ones who staff the dikes, so it is important that they can and want to. They need knowledge, you need their buy-in.
The weakest link?
Of course, your workforce is not alone. You identify and invest in appropriate technology, both hardware and software, in accordance with your organization̵7;s threat assessment and its appetite for risk. You implement appropriate policies and procedures to provide governance, control and guidance.
Of course, the implementation and maintenance of these measures depends on your staff, and your staff are also the daily users of your IT systems. So whether these systems are designed, installed, maintained or used, it always comes down to people. You can not remove the human factor.
This is why it is important that all computer users in your organization support what you are trying to achieve, they understand why you do it and how it affects them. This means that they must understand what they must and must not do, and – more importantly – appreciate why.
Your defense is just as strong as your weakest employee. The weakest can mean that they do not understand, and so they make a mistake. This may mean that they do not subscribe to the entire cybersecurity agreement and see it as another burden on them – more bureaucracy and responsibility. So they either ignore it, or they cut corners and deliberately break the rules.
All chains have a weakest link. But the weakest link in a premium chain is probably stronger than all the links in a chain of poor quality. Why is your staff the weakest link in your cybersecurity?
Because you have not made them your greatest security asset.
The Holy Grail of Staff Buy-In
The Holy Grail is a security-oriented workforce that follows best practices, uses informed common sense, and is diligent but not paranoid. Getting somewhere close to it can feel like the definition of an uphill.
People do not like change. It will be pushed back. What can you do? Repeated gnawing eventually becomes background noise. Adopting a punitive approach or linking minor infringements to a disciplinary procedure will, at best, promote people and, at worst, drive them to tools.
But it is inevitable. If your organization will be protected from cybercrime, you need everyone to pull in the same direction and do so willingly.
These eight points will help you chart a path toward staffing.
A: Share information
No one is trying to say that cyber security is easy. On the contrary, it can be complicated. But do not keep your labor in the dark. You do not have to give them an explanation of the technical reasons why you chose a particular approach. But tell them what the threats are. Impress them that these threats are real and potentially catastrophic. Explain what the organization has done to counter the threats and describe what is expected of them.
Do your employees understand that they play an important role in security and that they have a responsibility when using the organization’s IT services? It’s exactly the same as using a company car. They must use it properly – in accordance with the rules of the road – and treat it with respect. They are responsible for it while using it. The same goes for your network and your data. And if your organization is affected by ransomware and can not act, everyone suffers.
If you are not comfortable with the subject, consider outsourcing it to a specialist company. Bringing in external expertise shows your commitment to cybersecurity and the seriousness you take to do the right thing. It also gives you the chance to benefit from an independent point of view.
Two: Business data includes personal data
When people are busy, they are focused on what they need to do to complete the task they are working on. It’s hard to worry about the bigger picture when you’re on the death march towards a deadline. But if something affects them personally, they will keep that in mind.
Your organization has personal information about each employee, so it’s not just company data that is at stake. Cybercriminals are just as interested in the workforce as they are in business information.
An employee’s personal data is protected by the measures introduced by the organization and the colleagues’ willingness to follow routines. They must have each other’s backs.
Three: Show there are no exceptions
Everyone needs cybersecurity awareness training, and everyone needs to follow policies and procedures. You cannot have a land shift or a cultural change if it only applies to certain departments or teams or if certain senior levels think they are exempt.
In the same way, everyone in the organization must go through the same policy introduction and procedure rollout processes. Knowing that the top levels are subject to the same IT and security management will compare the game plan in the eyes of the workforce. And the c-suite needs to know what the training of the workforce consists of. They need to know that it is effective, well-delivered, relevant and covers everyone – including themselves.
Consider having a short test at the end of the sessions before the final questions and answers. This will not only capture the audience’s attention, but it will also provide some measure of the score. If a particular section is generally a low grade section, that area of the session may require some reworking to get the message across.
Four: Create available policies and procedures
You can not expect people to behave properly if you do not understand what is acceptable in the first place. This is how policy documents must be written to clearly communicate what is required of all staff. Clear, uncomplicated and clearly worded documents are best. Do not try to make them impressive, strive to make them accessible and unambiguous.
Typically, you need documents that work together to deliver an overall IT governance framework, including a security policy, an IT incident procedure, a data breach procedure, an acceptable policy, a password policy, and possibly procedures and documents to comply with local laws, such as general data protection regulations ( GDPR) or the Californian Consumer Privacy Act (CCPA). Your documents may have different names, but they need to address these topics.
There will be many more operational procedures that govern activities, such as security updates; backup schedules including testing; and restarts, role changes and leaving procedures. These are team and department specific. If you are not in IT, you do not prepare accounts for new users, but each new user or role change must be created according to the procedure.
Five: It starts on day one
New entrees will undergo an induction process. As part of that induction, data protection and cyber security must be addressed. This is your chance to impress new and enthusiastic employees that this is how you do it. Do not give them time to pick up bad habits and take the chance to clear away all the bad habits they bring with them.
Do not rip it through as soon as possible. It is not an exercise that ticks off. Cutting corners here makes your new starter think this is not important; it’s just paperwork. But done well, this gives your new starter a week with the right attitude.
You may be able to open it to a wider audience and use it as a cybersecurity awareness refresher for those who have not had a refill recently. Having more people in the room than just the new entrees reinforces that cyber security is not something that is mentioned during the first week of employment and then ignored.
Have them sign that they understand what is required of them and that they will follow your policies.
Sex: Make it normal
Keep track of cyber security awareness training and make sure everyone is cycling through it. Then repeat, at an absolute minimum, annually.
Make data protection and cyber security a standing agenda at management and board meetings. It is not a supplement to IT, it is a separate set of measures that manage risks. Just as you have sprinklers, fire drills and fire insurance to mitigate fire risks, you need measures to deal with cyber threats. Examine whether your defense is still appropriate and effective, and review and account for any security or data protection incidents.
Plan and adopt dry runs of your infringement handling procedures and security incidents. You do not wait until the ship has a hole to repeat your lifeboat plane. Create a fictitious incident and let your teams treat it as if it were real. Then close any shortcomings that the dry run revealed.
Seven: Choose the low-hanging fruit
Make the first steps the easy ones. They will still have a big impact on raising your cybersecurity field and will get employees used to integrating security-centric activities into their routines.
- Do not let anyone share passwords.
- Do not allow any third party to access your company’s Wi-Fi. Have a guest Wi-Fi network that goes directly to the internet. They do not have to be in your network; they just need to get their email. You may not even need to buy equipment to do so, your current hardware may already support this.
- All passwords must be unique and must not be passwords already used elsewhere.
- Set password complexity rules and enforce them.
- If people have too many passwords to remember, choose and market a company-sanctioned password manager.
- Use two-factor authentication whenever possible.
- Provide training in identifying phishing, spearfishing and other e-mail threats.
- Provide training to help staff discover and avoid social technology.
- Ensure that all operating systems and applications are within the manufacturer’s support lifecycle.
- Apply all security updates to servers and computers, as well as to network devices such as routers, switches, and firewalls.
- Implement secure disposal of retired IT equipment and obtain certificates for data cleaning.
When a basic frame is in place, the more complex layers will form the basis of the seating.
Eight: Measure and report
Build good cybersecurity practices in your personnel evaluation or performance review programs.
Collect and present statistics on an instrument panel aimed at the workforce.
Provide an easy way to report problems and encourage staff to identify suspected vulnerabilities in your system. A small monthly fee for someone who discovers a potential security risk, or suggests an improvement, is a great way to get people involved.
Conduct regular testing of staff sensitivity. Benign phishing attacks and USB drops are a good way to identify staff who need to have their training completed, or that a procedure needs to be updated, clarified or strengthened.
Remember to report on the most improved department so that when tailors move up the rankings, they get recognition. If you do not want to rank departments on a league table, use their scores to move them to regions on a traffic light system. Everyone should aim to be in the green.
Also report on actions taken by the organization, such as the number of days since the last penetration test, the number of problems identified and how many of these issues have been addressed. In this way, you represent a snapshot of the organization’s and your staff’s joint efforts.