Over the last year and a half, the world has become well acquainted with the idea of cyber data breaches. During 2014 and into this year, it seems like a new massive data breach has been reported week after week, with each seemingly exposing more records than the last. From Target to Home Depot to eBay to Anthem, most people have data at risk.
While these threats are most often initiated by outsiders – nefarious programmers writing malicious code designed to pilfer corporate data, siphon confidential customer information and/or raid company financial data – cyber criminals are too often able to gain access due to employees’ ignorance and/or negligence.
It is therefore essential for every business to educate employees about cybersecurity, to train them before a breach occurs. In this slideshow, Kaspersky has identified 10 tips that can help you educate your employees and develop policies that will help mitigate ever-growing cybersecurity risks.
Mitigating Insider Threats
Click through for 10 tips that can help you prepare your employees for dealing with cybersecurity threats, as identified by Kaspersky.
Regularly Talk to Employees
It’s important for organizations to include cybersecurity training on a regular basis, explaining the potential impact a cyber incident may have on your operations. Employees need to know their obligations, especially when it comes to mobile data. It’s not enough to require an annual review and signing of an “I have read and understand company IT policies” statement.
Remember Top Management and IT Staff
Top managers are often the target of cyber criminals because of their higher level of access to critical corporate and customer data. This increased access has a much bigger damage/financial payoff for the hackers. IT staff are also more vulnerable, given their administrative access over the network.
The Weakest Link
Any network is only as strong as its weakest link. Explain to employees that while your organization is making its best effort to secure the company’s infrastructure, it’s critical that employees fully engage and do their part in following company policies. Policies should be sophisticated enough to cover all possible attack vectors.
Regular Sessions
Organizations should have regular, focused sessions with employees to explore different types of cyber attacks. Threats change, new people come on board, and employees get caught up in their day-to-day activities, sometimes losing focus on the security threats knocking at their door. Consider having regular lunch and learn sessions, and encourage employees to use what they learn at home on their own computers.
Social Engineering
Warn employees to pay special attention to social engineering ploys they will find in social media, blogs and emails. It’s also important to point out that many cyber incidents begin with a phone call from someone posing as a co-worker asking seemingly innocuous questions. Meanwhile, they are actually gathering information about the company and its operations.
Recognizing an Attack
Train employees to recognize an attack. It’s critical that organizations have policies in place that assume they’ll be infiltrated. Don’t wait to react. Have a documented remediation plan in place and update or review it frequently. Communicate step-by-step instructions about what employees should do if they believe they’ve witnessed a cyber incident.
Training should include specific rules for email, web browsing, mobile devices and social networks. Don’t forget the basics, such as physically unplugging the machine from the network and notifying the admin of any suspicious emails, activity or lost devices. Kaspersky suggests that employees should be able to locate their emergency IT contact number in 20 seconds or less.
Don’t Discourage Employees
Even if it’s a false alarm, it’s important not to discourage employees from speaking up when a real cyber attack happens. If false alarms happen regularly, reevaluate your training approach.
Notifications
If an incident happens, give employees a heads-up as soon as possible. A lack of transparency or improper handling of a cyber incident may significantly increase the impact of the event. Issue instructions to employees about how to speak to the public and the press about the incident. Have an internal communications plan and PR strategy in place before anything happens. Consider insurance for cyber incidents.
Regularly Test Employees
Organizations should regularly test their employees’ cybersecurity knowledge and tie the results back into the training curriculum. It’s important to make it fun and/or rewarding, with incentives for prompt responses.
Invite, Listen and Respond
With all things, if employees find the policies too difficult or restricting, they will find ways to circumvent them. If you force employees to change passwords every week, be prepared that they will write them down and post them in their workspaces. If it’s too difficult or complicated to access something they need for their jobs, they will find less secure workarounds like personal email, USB, etc. Listen to what employees are saying and find the root cause of unsafe behavior. Finding alternatives that work for both security and employees’ ease of use is essential.