Here's how to make sure your employees have cyber security awareness and know to protect themselves and their company from vulnerabilities.
You can't go a week nowadays without hearing of another major cyber attack. This week it was a (reportedly) politically motivated attack targeted towards many Ukraine companies, but also hitting major enterprise organizations like US drug maker Merck, UK based communications agency WPP, and even state-owned Russian oil company Rosneft.
The attack used the same EternalBlue vulnerability that Wannacry recently used to wreak havoc on thousands of users, but this time there was no ransomware used to extract payment. This attack seemed only to be designed to "destroy and damage" its targets.
There has never been a more important time for organizations to shore up their IT infrastructure and seriously invest in cyber security preparedness. But one continually under-invested area is simply educating the greater workforce on how to practice cyber security awareness.
What is "cyber security awareness"?
Cyber security awareness is the level of education and understanding that your workforce has when it comes to following IT processes and procedures for keeping company data and systems safe. Unfortunately, the IT department can't just create a process and assume that employees will follow it to a "T". A recent study from Dell found that while 64% of employees understood their responsibility to protect confidential data, many felt that those processes severely limited productivity. And a full 24% said they've knowingly used unsafe behaviors at work and online to get a task finished quicker.
What's obvious from the Dell study is that having processes that are clunky and don't fit into the normal workflow of an employee aren't just adopted at a slower rate - in many instances, they're outright ignored. So, creating a process that's simple and easy to implement into daily workflow is key. But also, constant communication and continuing education with your workforce is also incredibly important. When employees understand why these processes are in place, they're much more likely to follow them.
How do you implement cyber security awareness in a large workforce?
Creating what many cyber security professionals call a "culture of security" is a long and involved process. It's also one that has to start at the top. C-level executives have got to prioritize cyber security awareness within their departments and focus on making cyber security and IT precautions part of the risk management discussion.
For many employees, there's a general lack of knowledge on even basic best practices for checking email, using public wi-fi, and even connecting to company infrastructure remotely. Weekly or monthly reminders on basic best practices can go a long way in instilling better online habits.
The National Cyber Security Alliance, which promotes cyber security education and is comprised of cyber security professionals from enterprise organizations like Facebook, Google, Intel, and Microsoft has some excellent tips on how to begin to implement a strong culture of security.
To start, begin consistent reviews of the following processes and procedures for:
- Noticing and alerting IT of fraudulent or phishing emails
- How to create strong passwords and how frequently to update them
- How to backup work on a regular basis
- How to avoid malicious links in personal emails, social media, and online when at work
- How to manage computers and other mobile work devices - which apps are ok; which apps are not; and how to keep work devices clean and operating efficiently
- How to manage work devices and connecting to company systems while traveling or working remotely
More importantly, give employees a process for alerting the IT department when they make a mistake so that issues and errors can be dealt with quickly. Mistakes will happen, and employees that understand what the process is for alerting the IT department and taking steps to fix it are much more likely to report suspicious activity that can be found and fixed before it turns into a much bigger issue.