Are Employees Your Weakest Link When It Comes To Security?

Uploaded on 2017-04-08 in NEWS-News Analysis, JOBS-Careers, FREE TO VIEW

In security, the “human factor” is the bit we can’t account for.  Your technology could have every fail-safe, every safety feature and yet a lack of employee education could instantly compromise all of that.

So just how much of a threat are your employees?  Well, when IBM carried out the 2016 Cyber Security Intelligence Index, it found 60% of all attacks were carried out by insiders.  It’s not just ineptitude or human error either.  Cyber crime is a huge growth area and cyber criminals aren’t just lingering in a locked room on the dark web – they could be suited and booted and sitting right there in your office.

There are so many types of cyber crimes that threaten businesses.  From an activist who deliberately leaks data, to a disgruntled employee who sells a story to the press – you also need to be aware of malicious employees working with hackers or fraudsters too, supplying passwords, sensitive data or releasing malware into your system.  The human factor in all of this is unpredictable, after all.

So how can you turn your biggest threat into your biggest opportunity?

By putting security training at the heart of business development among your employees, and effectively training them to fight against an attack.  It's no easy feat but put yourself in your employees’ shoes: isn’t it much nicer to be invested in, trusted and involved in the security of your organisation?

My advice, don’t perceive employees as a threat – educate them about how they can become a “shield” against cyber crime. If you’re unsure where to start here are three easy ways to get started:

Start the process from the top down: The lines of communication need to be as strong between the security department and the management board as they are between IT and employees. Make briefings a diarised appointment and ensure management are fully briefed on the risks facing your organisation , the potential implications, and how employees can help be part of the solution.  Leading by example cannot be underestimated, so people will be inspired to take security seriously if they see the management board doing so too.

Encrypt everything: Use two factor authentication as standard, and put users into security groups according to their ability and expertise.  A one size approach doesn’t fit all in training terms so it’s important those with a better understanding aren’t talked down to, and those with more to learn are given the tools they need to understand why taking an active role in cyber security is so important.

Talk in terms of “shield” not “threat”: Be positive right from the start and don’t talk down to employees - you should have faith in them, and encourage them to take an interested in shielding the business from threats.  Yes, the risks are real, but inspiring staff is much more successful than demeaning them. You can incentivise through rewards and create ambassadors to promote your goals for you – stakeholder management is a great technique to use.
Teaching your employees to be more cyber aware is a skill for life, so make the training relatable to them and their everyday lives.  If people believe learning something new is good not only for you, as their employer, but for them, and their families, you’ll get a serious level of buy in and find your employees can quite easily become your biggest asset.

Jane Frankland is a cyber security expert and Managing Director of Cyber Security Capital, which helps cyber security professionals to develop their careers or build their businesses. She is passionate about helping to increase the numbers of women in cyber security and has authored a book - In Security: How a failure to attract and retain women in cyber security is making us all less safe.

First pubished on Dropbox Business Blog:

 

 

« London Conference: Protecting Critical Infrastructure
Trump Administration's Policy On Cybersecurity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Outpost24

Outpost24

Outpost24 provides easy to deploy and intuitive solutions to continuously identify, remediate and mitigate vulnerabilities in your network.

Patchstack

Patchstack

Patchstack (formerly WebARX) is a web application security platform, which allows digital agencies and developers to monitor, protect and maintain their websites.

Greenbone Networks

Greenbone Networks

Greenbone Networks delivers a vulnerability analysis solution for enterprise IT which includes reporting and security change management.

Quadrant Information Security

Quadrant Information Security

Quadrant Information Security is a consulting firm committed to supporting organizations in all vertical markets and protecting their sensitive data.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Infosec Train

Infosec Train

Infosec Train provide professional training, certifications & professional services related to all spheres of Information Technology and Cyber Security.

In-Sec-M

In-Sec-M

In-Sec-M is a non-profit organization that brings together companies, learning and research institutions, and government actors to increase competitiveness of the Canadian cybersecurity industry.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Crown Sterling

Crown Sterling

Crown Sterling delivers next generation software-based, AI-driven cryptography in the form of random number generators and encryption products.

Netragard

Netragard

Netragard has an established reputation for providing high-quality offensive and defensive security services.

HENSOLDT Cyber

HENSOLDT Cyber

HENSOLDT Cyber introduces a paradigm shift to cyber security. Our products have been designed to ensure the integrity of embedded systems at the core: the operating system and the processor.

TuxCare

TuxCare

TuxCare make Linux more secure. We take care of Linux so that organizations can use Linux to support environments that require high levels of Cybersecurity, stability, and availability.

ZEUSS

ZEUSS

ZEUSS is a diversified data center, cybersecurity, and green energy company.

SeQure

SeQure

SeQure is a cutting-edge startup specializing in the development of advanced security infrastructure for artificial intelligence and blockchain.

SecureClaw

SecureClaw

SecureClaw offers specialized cybersecurity consultation, various products, and a range of services to meet your company's business domain needs.