The most significant threat to the security and integrity of networked systems and data does not stem from external hackers or cyberattacks. Instead, the primary vulnerability lies within your organisation itself, specifically from employees prone to making poor decisions when interacting online.
While hackers undoubtedly pose a significant risk that demands protection, it is equally important to enlist the support of your employees in these efforts. The habits of end users have the potential to cause substantial damage over time if not addressed. Here we explore eight strategies to prevent these detrimental habits from causing harm to your business.
1. Protect users from themselves
While cybersecurity training and education are foundational to a strong security culture, additional precautions need to be taken for reliably protecting employees from themselves. For instance, limit the downloading of apps and software by locking down systems to prevent employees from installing unauthorised software or from connecting rogue, infected devices to your network.
In a similar vein, turn on security features (e.g., VPNs, multi-factor authentication, auto updates) by default instead of relying on employees to take those measures on their own.
2. Test employees with mock phishes
Activities like regularly scheduled mock phishing attacks can keep employees vigilant, providing an opportunity for learning and discussion. Ask both those who identified and reported on the phish, and those who failed to recognise the phish, to share their experiences. What tipped them off? What fooled them? What are the takeaway best practices? What lessons can be gleaned?
3. Prioritise IoT security measures
In the manufacturing of IoT devices, security is often an afterthought. Smart thermostats and cameras, connected printers and especially popular wearables like smart watches, can create vulnerabilities if not properly secured. To cite a technical example, many commercial grade IoT devices used in finance, telecommunications, healthcare, and automotive, are vulnerable to attacks due to flaws in certain integrated cellular modems.
The most severe vulnerability lets hackers remotely take control of these devices by simply using text messages. To reduce these risks, disable unnecessary SMS/text features and use private Access Point Names (APNs). Six other flaws were also discovered, allowing attackers to bypass security checks, run unauthorised code, and gain more privileges. (To protect against these risks, enforce strict security measures for Java applets and regularly update and audit the device’s security features.)
Monitor the behaviour of IoT devices to detect anomalies in device activity, such as unusual data transfers or unauthorised access attempts. Consider creating separate networks for IoT devices, limiting their access to critical systems. This way, if an IoT device is compromised, the attacker’s reach will be restricted. Include strict policies for IoT device usage among employees, including monitoring for malicious activity, and training employees to comply with security procedures. Encrypt data transmitted between devices, disable unnecessary services, and revoke access privileges for former employees who no longer require access.
4. Foster accountability
Avoid reprimanding employees. Instead, cultivate a sense of shared responsibility. Show empathy and teach in a respectful, improvement-focused way. You want to enlist employee participation, not alienate or marginalise their efforts. When employees (and, especially, senior leaders) are willing to come forward and share their own cybersecurity missteps, it can be instructive for others while also minimizing bad habits.
It will also help build a more supportive cybersecurity culture. Incorporate a “train the trainer” element in these discussions, asking impacted employees to lead a discussion, or demonstration, to help others better understand bad habits. These candid moments offer a chance for meaningful conversations. Educational experiences can make a difference.
5. Mine the media
News headlines appear almost daily with stories about cybersecurity breaches inflicted upon recognised brands. Organisations of all sizes from every industry are not immune from cyberattack. Share these reports as learning experiences and jumping-off points for discussion. What could the impacted company have done differently? What was the root cause behind the incident? How can you head off these threats at your own company? Invite employees to contribute by sharing reports they may have seen. This is a good way to promote mindfulness and a culture that prioritises security.
6. Enforce strong password policies, don’t leave them to chance
All organisations should have password policies requiring employees to change their passwords on a regular basis and to discourage their reuse. In addition, commercial password managers should be advocated for storing and generating long, unique and complex passwords. You can help prompt that action through reminders. Consider locking employees out of accounts (like retail banking apps will often do) if too many failed logins are attempted.
7. Use analytics and tech tools
Identify employees who may represent the highest risk to company assets. They offer an opportunity for intervention, coaching, and training. For instance, an employee who has accessed unauthorised content or an individual who inappropriately shares sensitive information. Experiment by using natural language processing (NLP) for sentiment analysis to help isolate employees with negative attitudes toward cybersecurity. These examples can offer learning moments—not to humiliate employees by name, but to focus on the implications of a security breach.
8. Make awareness training ongoing
If your cybersecurity training and education efforts are a one-and-done, or an annual event, employee bad habits will thrive. Instead, make awareness training ongoing through a wide range of communication channels and messaging to keep security awareness top of mind.
A strong security culture is the best defence against cybersecurity threats that can be detrimental and costly to stakeholders, partners, and customers. Lean on employees’ own experiences as teaching moments and maintain an open and transparent environment. After deployment of standard technical controls, employees become the organisation’s last line of defence. A human-centric approach to cyber awareness will always benefit the security posture.
Author: Erich Kron, Security Awareness Advocate, KnowBe4
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
