Are Employees Your Weakest Link When It Comes To Security?

In security, the “human factor” is the bit we can’t account for.  Your technology could have every fail-safe, every safety feature and yet a lack of employee education could instantly compromise all of that.

So just how much of a threat are your employees?  Well, when IBM carried out the 2016 Cyber Security Intelligence Index, it found 60% of all attacks were carried out by insiders.  It’s not just ineptitude or human error either.  Cyber crime is a huge growth area and cyber criminals aren’t just lingering in a locked room on the dark web – they could be suited and booted and sitting right there in your office.

There are so many types of cyber crimes that threaten businesses.  From an activist who deliberately leaks data, to a disgruntled employee who sells a story to the press – you also need to be aware of malicious employees working with hackers or fraudsters too, supplying passwords, sensitive data or releasing malware into your system.  The human factor in all of this is unpredictable, after all.

So how can you turn your biggest threat into your biggest opportunity?

By putting security training at the heart of business development among your employees, and effectively training them to fight against an attack.  It's no easy feat but put yourself in your employees’ shoes: isn’t it much nicer to be invested in, trusted and involved in the security of your organisation?

My advice, don’t perceive employees as a threat – educate them about how they can become a “shield” against cyber crime. If you’re unsure where to start here are three easy ways to get started:

Start the process from the top down: The lines of communication need to be as strong between the security department and the management board as they are between IT and employees. Make briefings a diarised appointment and ensure management are fully briefed on the risks facing your organisation , the potential implications, and how employees can help be part of the solution.  Leading by example cannot be underestimated, so people will be inspired to take security seriously if they see the management board doing so too.

Encrypt everything: Use two factor authentication as standard, and put users into security groups according to their ability and expertise.  A one size approach doesn’t fit all in training terms so it’s important those with a better understanding aren’t talked down to, and those with more to learn are given the tools they need to understand why taking an active role in cyber security is so important.

Talk in terms of “shield” not “threat”: Be positive right from the start and don’t talk down to employees - you should have faith in them, and encourage them to take an interested in shielding the business from threats.  Yes, the risks are real, but inspiring staff is much more successful than demeaning them. You can incentivise through rewards and create ambassadors to promote your goals for you – stakeholder management is a great technique to use.
Teaching your employees to be more cyber aware is a skill for life, so make the training relatable to them and their everyday lives.  If people believe learning something new is good not only for you, as their employer, but for them, and their families, you’ll get a serious level of buy in and find your employees can quite easily become your biggest asset.

Jane Frankland is a cyber security expert and Managing Director of Cyber Security Capital, which helps cyber security professionals to develop their careers or build their businesses. She is passionate about helping to increase the numbers of women in cyber security and has authored a book - In Security: How a failure to attract and retain women in cyber security is making us all less safe.

First pubished on Dropbox Business Blog:

 

 

« London Conference: Protecting Critical Infrastructure
Trump Administration's Policy On Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

iboss Network Security

iboss Network Security

The iboss cloud is designed to deliver Network Security as a Service, in the cloud, using the best malware engines, threat feeds and log analytics engines.

Dragos

Dragos

Dragos has built the first industrial cybersecurity ecosystem, the ultimate security defense.

Regulus Cyber

Regulus Cyber

Regulus enables drones, robots and autonomous vehicles to operate safely, without malicious or accidental interference to the operation of their mission.

Tier1Asset (T1A)

Tier1Asset (T1A)

T1A is Europe’s leading IT refurbisher. We offer certified data erasure using blancco on site and at our facilities, providing environmentally sound disposal of your used equipment.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Onward Security

Onward Security

Onward Security provides security solutions including network & application assessment, product security testing and security consulting services.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Wiz

Wiz

Wiz - the first cloud visibility solution for enterprise security: A 360° view of security risks across clouds, containers and workloads.

Enginsight

Enginsight

Enginsight provides a comprehensive solution for monitoring and securing your servers and clients.

ConnectSecure

ConnectSecure

ConnectSecure (formerly CyberCNS) is a global cybersecurity company that delivers tools to identify and address vulnerabilities and manage compliance requirements.

Kyndryl

Kyndryl

Kyndryl has a comprehensive portfolio that leverages hybrid cloud solutions, business resiliency, and network services to help optimize your IT workloads and transformations.

Secuna Software Technologies

Secuna Software Technologies

Secuna is the most trusted Cybersecurity Testing Platform in the Philippines. Our pool of vetted security researchers will find and ethically report security vulnerabilities in your product.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

ConvergePoint

ConvergePoint

ConvergePoint is the leading compliance software provider on the Microsoft Office 365 SharePoint platform.

US Insider Risk Management Center of Excellence (US-InRM)

US Insider Risk Management Center of Excellence (US-InRM)

The US-InRM Center of Excellence is a nonprofit organization dedicated to promoting private, public, and academic partnerships to foster knowledge sharing and resources to mitigate insider risk.

Athena7

Athena7

Athena7 is a dedicated assessment practice committed to helping organizations understand how their infrastructure, backups, and security controls will withstand the latest threat actor tactics.