What your employees need to know about cybersecurity
08 February 2019 | Columns
If you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for the improvement of your cybersecurity profile.
Employees need access to a lot of important data, and their ability to protect that data - or to inadvertently let it walk out the door of your organisation - is vital.
A lack of education is at the heart of a number of incidents of a major security breaches. You probably heard about the new human resources employee who got an email from the president of the organisation asking for tax information on every employee, so that person sent it exactly as instructed.
The employee did not recognise the email came from a hacker impersonating the CEO, and there was a major security breach.
Entire business models are based on this kind of fraud. Let's pretend I am going to build a site with the world's best collection of cute pet pictures. I'll give you the first 10 for free (and those 10 are the most adorable pictures you have ever seen), but to see more, you need to set up a user name and password. The access is still free, though.
No big deal, right? Wrong. In this scenario, I own this website and I am a criminal, and my business model is to try to use the username and password you just entered at every major banking website, on all major email providers, on your company's VPN portal, and anywhere else that I think you might have used the same username and password.
I will then extract any valuable information I can from those sites, sell the information for a profit, possibly ransom your own data to you to make even more money, and then move on to the next victim.
Need some numbers to illustrate why educating your employees about cybersecurity practices is important?
• Per IDG's 2016 Global State of Information Survey, 48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest; and
• According to the Ponemon Institute, 60% of employees use the same password for everything they access. Meanwhile, 63% of confirmed data breaches leverage a weak, default or stolen password.
So where should your company start? Begin with a training programme. Employees need to be educated on cybersecurity best practices. One of the issues any cybersecurity awareness training programme should address is the implementation of real password policies.
There's no easy way to say this, so I'm just going to say it: Passwords stink. They are no fun to create, no fun to remember and no fun to type in. That being said, passwords are still the most common authentication method today.
It is imperative to implement a password policy requiring complex passwords that can't easily be guessed, and end-user training to go along with it.
Many people use the same passwords for every online system for which they need one. This is a problem. If one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your business's VPN.
It is imperative your cybersecurity awareness training programme encourages team members to use different passwords for different sites, and especially for any system your company uses.
Most companies have some sort of safety guidelines employees must follow or be aware of and cybersecurity should be no different. There are a number of companies that specialise in this type of training.
Picking the right type of training is critical; having a good cultural fit is more important than the actual content. Be sure to do proper due diligence when making this selection.
The important message is you already know you must train employees on certain things in order to have them perform their job functions. Cybersecurity is one of those things. If you are uncertain as to how to structure a cybersecurity training programme, find an adviser that can help you.
*Bryce Austin is the CEO of TCE Strategy and a speaker on emerging technology and cybersecurity issues. He is author of 'Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives'.