Literate or Lacking? 5 Questions to Ask About Cybersecurity Awareness
It would be great if you could lock the doors to your network and know for sure that no one’s going to get in except the people who have permission. Unfortunately, cybersecurity is a lot more complex than that. First of all, you need several technical and non-technical security layers to control access to your network. Second, you have to make sure that your people don’t do something that lets a bad guy bypass your locked doors.
Could you imagine not teaching your kids what to do if a stranger knocks on your door, offers them candy at a playground, or asks them if they want to see a puppy? If you don’t prepare your kids to raise their guard in situations where their safety could be compromised, how can they become advocates for their own protection?
It’s the same with your employees. Unless you’re teaching your people to recognize how cyber criminals are trying to trick and manipulate them into doing something to compromise your company’s security, then can you really expect them to be responsible for playing their part in protecting access to your network and data?
Remote Workers Unsettled by Stress, Fatigue and Distraction
Security is everyone’s job, and the threats against your organization are always increasing. Add to that the effects of COVID-19 pandemic and cyber criminals have new angles of attack, and human targets that include a huge number of people who may not be at their best because they’re unsettled with stress, fatigue and distraction.
In their 2020 Threat Hunting Report, CrowdStrike found that there have been more attempts at cyber attacks in the first six months of 2020 than there were in all of 2019. Many of these intrusions were traced to phishing schemes that tricked a person into doing an action like clicking on a link or opening an attachment, or unknowingly providing account credentials to the bad guys.
If there ever was a time to have a security-minded workforce, it’s now. Here are four questions to use to get a gauge on where you’re at with your employees’ cybersecurity literacy.
1. Do employees understand the risks?
Have you talked with employees about the impact that a cyber attack would have on your business? According to the Ponemon Institute study published by IBM, the average cost of a data breach is $3.46 million. Even if this number is more like $250,000 for a small business, the fallout could mean extreme financial difficulties or even lead to business failure.
A lack of understanding about the value of your data and access to your network could be contributing to less than vigilant attitudes about security. It’s not just bank account information that the bad guys want. They want social security numbers from employee files, trade secrets, customer information, and access to bigger targets that you may be connected to as a vendor or customer.
2. Do employees understand their role in security?
Again, security is everyone’s job. The importance you place on documenting, teaching, and enforcing your security policies should hammer in the point that security isn’t just IT’s job. Security is just as much about controlling who has access to information and how people should handle different situations.
If you have remote workers, it’s a good idea to reinforce your remote access policies and acceptable use policies to make sure that people understand that the simple fact that they’re outside of your network perimeter means that their situation regarding security has changed.
3. Do employees know how to respond to a potential cyber intrusion?
It’s not enough to put all of your energy into prevention, because it’s very likely that at some point, your organization will be the victim of a cyber attack. Your cyber security plan needs to document the protocols that you want employees to follow in different cyber attack scenarios. Sometimes the first step is as simple as – turn off your computer and call the IT department. Unless you train this response, it might not occur to people to take this simple step and the more time that passes, the more damage can potentially be done.
Your IT department is going to lead the steps in your response plan to stop any malware or spyware, clean up the infection, and get your systems up and running again. A good response plan should also include forensics to determine what happened in the first place so that measures can be taken to prevent the same thing from happening again.
4. Do employees get ongoing cybersecurity awareness training?
An annual workshop is not enough to keep security top of mind. Employees need practice at spotting potential phishing attempts, and there are certain types of social engineering schemes that are targeted at people in roles in HR, Accounting and Management. Additionally, some people will need more practice than others.
According to cybersecurity awareness training company KnowBe4, 70-90% of malicious intrusions happen because of social engineering and phishing attacks. People make mistakes and errors in judgement happen, but if human behavior is the cause, then it can be prevented, or the risks at least lessened, with training.
5. Are employees equipped with the knowledge and tools they need to work securely?
With this last question, we’re turning the pointer to you as the business leader to ask how you’re resourcing security. It’s your job as the employer to provide employees with the hardware and software that they need to work securely. That includes keeping software updated, refreshing hardware, and providing secure access for remote workers.
If you’re doing business over the internet, then your business processes should have security woven through them. This is where your security policies come into play and your policies aren’t worth anything if you don’t devote enough resources to train and enforce them.
Build Up Your Security
If you can’t answer these questions confidently, then there’s a good chance that you’re exposing your organization to more risk than you should be. Here at XPERTECHS, our clients are supported in every aspect of both technical and non-technical security.
Contact us for a consultation if you want access to a whole team of IT and security professionals to improve operations and enable your success.