It’s easy to think that cybersecurity is best left to the professionals. As experts in the field, our team appreciates when people look to us for guidance. But make no mistake – education is important for everyone in your office. Remember the human factor in cybersecurity.
You may have hired a CISO, identified and protected your critical assets, closed all the gaps you can find, and even established a regular schedule for penetration testing of your network.
Still, you have one more exposure that requires ongoing attention:
People.
Your team members, within the information security department and outside it, are your company’s greatest asset. They can also expose you to great vulnerability if they are not trained to participate in the company’s security.
Sneaky and savvy attackers have been able to get past network defenders with social engineering -- impersonating IT personnel or forging a “friendship” with a staff person in order to gain access to a network, so the role of every employee (the human factor) in cybersecurity should not be overlooked.
Here are some basics for how to keep all team members engaged and trained.
1. Awareness: employees in all sectors and departments need to know how attacks can happen, and to understand their responsibility in the team. Each employee should take this responsibility very seriously.
2. Clear privacy policies and user access controls: ensure that only those team members who need sensitive data have access to it, and conduct regular training on the acceptable use of data. Keep trainings engaging and interesting, even for those unfamiliar with security concepts.
3. Verification & skepticism: employees should be empowered to ask for identification from any person entering the company’s physical space (consider guest name tags, badges, etc.), and to check the sources of emails and phone calls requesting sensitive data; remembering that they can be spoofed. Healthy skepticism is a safeguard.
4. Relationships: if you haven’t learned that listening and involving your employees in company decisions is a good practice, now is the time to do so. Employees who are engaged and happy are much less likely to create a breach (by accident or on purpose).
These are a few basic steps to get started. As your company grows in cyber maturity, you can educate your team members more and involve everyone in security processes, as they relate to each member's level of access.
People have great power. Don’t overlook the human factor in cybersecurity.
These ideas are based on the book Security+: A Practitioner’s Study Guide, by David Evenden and Lauren Proehl.
Katy Munden Penner is a Writer and Content Strategist for StandardUser Cyber Security, and a Social Entrepreneur connecting people with great causes.