The biggest problem companies face when it comes to cybersecurity is often not the technology; it’s the people. And hackers (often called “bad actors”) know this. That’s why it takes more than strong IT to keep your company safe. It “takes a village.”
Beyond technology, the best way to protect your business from cybercriminals is with a trained and educated cyber aware company culture. It may seem like a large and daunting company initiative, but it isn’t. There are a few corner stones that continue to build up, along with continuing education and strong corporate communication.
Set the tone from the top; Let people know that cybersecurity is everyone’s job
Leadership is always where a company culture starts. Employees and contractors, from entry-level to senior management, need to feel that cybersecurity is important to the company. If the executive leadership team values cyber safety, it will trickle its way down to all corners of workplace.
Cybersecurity should be more than just the responsibility of the Information Technology department. A statement by leadership must be delivered that it is up to everyone, beyond IT, to keep cyber criminals out of the company’s network.
Management shouldn’t be the exception to the rule. Management most often have the highest privileged accounts. Allowing management to bypass those safeguard not only put the organization at risk but sets a bad tone from the top.
Train and test your staff; Hack your staff before the hackers do
Posters, employee newsletters, training sessions and regular meetings are avenues to communicate across the organization about how everyone can be more cyber aware. Regardless of what methods you choose, you should train staff on a regular basis. Monthly training is highly suggested. It can be via email or face-to-face. Or both.
Beyond training, it is good to see that employees are understanding and retaining the cybersecurity information. While you can trust that the staff is paying attention, it is recommended to test your staff as well.
>> Send a mock phishing email a little while after a training session or communication. It would be interesting to see who, if anyone, falls prey to the false hack. This shouldn’t be a gotcha for those employees but a change for the organization to focus on more advanced training.
Teach your team that the inbox is the bad actor’s favorite target
Based on current trends, cyber attackers are finding email to be the best route for penetrating a company’s security defenses. Trends Labs reports that 91% of targeted cyber-attacks use email as their way to breach networks. Likewise, Ponemon reports that 78% of targeted email cyber-attacks use malware embedded in an attachment.
Addressing targeted email attacks from leadership and your technology department is an essential piece of puzzle when creating a cyber safe culture. This should certainly be a topic addressed in employee training and even onboarding.
Have a password update plan; Avoid weak or universal/default passwords
According to Verizon’s 2017 Data Breach Investigations Report, as many as 81% of hacking-related breaches were caused by leveraging stolen or weak passwords.
Often, employees are not aware of the risks. That is why password education is a great topic to include in cybersecurity training. Require complex password structures and explain the reasoning behind it. Do not allow people to use the default password for more than the first login.
Have a formal cybersecurity plan; Get advocate from each department
Your technology team should contribute significantly to a cyber aware culture and with cybersecurity training. Have the IT folks develop formal cybersecurity training with a documented plan to accompany it. The plan should be reviewed and updated often. Too many companies create cybersecurity plans and teams only to find that the plan becomes dusty and the teams include staff that’s no longer at your company.
Ask for a cyber security advocate from each of your functional teams (E.g. HR, Finance, Sales & Marketing, Etc.) since this casts a wider net to learn about targeted phishing and helps show that cyber security isn’t just for IT anymore.
No matter how great your CIO or CTO might be, one person alone cannot fight cybercriminals. Create a cyber aware culture and get everyone at your organization involved.