Employees are a company’s most valuable asset, growing revenue, building relationships with clients, and, of course, playing invaluable roles in a company’s security perimeter.
Cybercriminals, however, are more likely to view your employees as the path of least resistance into an organization. In North America, for example, two top causes of breaches are careless or uninformed employee actions and phishing or other social engineering. Cybercriminals know that, and they use it to their advantage.
With a robust security education program in place, your company can protect its most sensitive information by ensuring cybercriminals cannot break through your employee firewall.
We get a lot of questions about cybersecurity best practices for the workplace, so we asked Barton Jokinen, Kaspersky Lab’s head of Information Security and Compliance for the Americas to answer some of the ones most frequently asked.
Esposito: What is cybersecurity?
Jokinen: Cybersecurity has many definitions, and the term is broad-ranging. For this discussion, cybersecurity is the practice of defending systems and data from malicious attacks, including physical security and awareness training.
Esposito: What is the best cybersecurity awareness program available?
Jokinen: Cybersecurity awareness programs are not one-size-fits-all. Every organization will have different needs depending on their business strategic goals, objectives, risk analysis, and even risk appetite. So, it’s useful to ask: “How does cybersecurity help the primary business of the organization?”
Esposito: From a cybersecurity perspective, what should companies think about when securing their workplace?
Jokinen: Organizations often overlook three areas when thinking about cybersecurity.
Physical security and safety. The well-being of employees should be at the forefront of every organization’s plans for cybersecurity. This may not seem intuitive when thinking about cybersecurity, or very cyber to most. But the increasing prevalence of Internet of Things (IoT) devices has blurred the line between physical security and cybersecurity. Wireless security cameras that are managed through a Web interface or a smart lock that is opened by an employee’s smart phone — when do things stop being physical and start being cyber?
Many companies have traditional physical security and environmental controls in place, but these groups are disconnected from the real problem solvers. In an IoT age, cybersecurity and IT teams are responsible for remediation efforts. In the workplace, these systems often share the same network resources as the rest of the business. Connecting IoT devices to the main network is risky because it provides an entry point for potential attackers to access corporate network resources.
Vulnerable systems can also be used to access poorly secured industrial control systems (ICS). For organizations that run critical infrastructure or manufacturing on ICS, an in-depth search of all systems involved should be performed. These networks should also be included in any cybersecurity efforts going forward.
Situational awareness of assets and data. Most cybersecurity frameworks rest on knowing what assets (including data) an organization has: the systems and applications that process the data, who has access, and where it resides. A cybersecurity risk assessment based on known assets will allow for a more thorough way to determine viable threats. This enables an organization to focus its cybersecurity resources where they matter most.
Cybersecurity awareness and training
Awareness extends beyond discovering and cataloging assets. Awareness should be a continual effort to educate employees on policies, current threats, and how to deal with those threats. Special focus should be paid to social engineering, which is still the most common and successful attack vector.
Organizations should offer training geared toward certain roles, not just generic awareness training. Make the training personal and fun. Tell stories and play educational games that will support awareness concepts. An awareness program should be anything but a test.
A good program is a mixture of in-person/instructor-led, online/self-paced modules, scenario-based, and surveys. Always gather metrics to show successes and weaknesses in security awareness programs.
Esposito: Our IT team is well informed about cybersecurity. Why should they undergo more training?
Jokinen: Education on cybersecurity hygiene needs to be common practice across the organization. Employees are often referred to as the “weakest link,” but in actuality, they are the most common attack vector and should be treated like any other attack vector in the organization.
Esposito: We have had several training programs, but none seem to be effective. What should we be doing?
Jokinen: It’s no secret that traditional training programs typically fail to achieve the desired behavioral changes and motivation. To build an effective educational program, there has to be an understanding of what lies behind any learning and teaching process. For a successful cybersecurity awareness program, the key is to create a culture of cybersecurity — one that motivates employees to continue secure practices in their daily lives beyond the perimeters of the office. After all, the goal of awareness training is not only to deliver knowledge but to change habits and form new behavior patterns.
The Kaspersky Security Awareness products are a good place to start or to fill in gaps in an existing program. We created them for all levels of the organizational structure. The computer-based training products draw on modern learning techniques: Gamification, learning-by-doing, and repeated reinforcement help to build strong skills retention and prevent obliteration; and emulating the employee’s workplace and behavior draws users’ attention to their practical interests. These motivating factors guarantee that the skills will be applied.
Esposito: How often should employees be reporting suspicious activity?
Jokinen: Cybersecurity teams would rather have employees report a false positive than wait until something “suspicious” manifests into a large threat. But before employees can report suspicious activity, they need to be able to identify what is considered suspicious.
A robust cybersecurity awareness training and its reinforcement materials should define suspicious incidents through examples, and how and when to make a report. Employees should then be encouraged to report any activity that may seem suspicious. Different procedures exist for incident reporting. Some organizations use the IT service desk, others have an email that generates a ticket for the security teams, and some may require employees to report the incident to their managers.
Once employees are knowledgeable in identifying and reporting suspicious activity, the next step is to establish incident response policies. Incident response policies should outline procedures and employee responsibility when dealing with an incident.
Remember, “See something, say something.” It is easier to nip something in the bud than manage a crisis in full bloom.
Esposito: What is your take on BYOD policies?
Jokinen: Bring your own device (BYOD) has become an increasingly popular approach. Employees get to enjoy the flexibility of choosing when to work and what device to work on. And employers benefit from reduced support costs for IT assets. However, this puts company data at great risk. Allowing employees to use their own devices for work means their devices are “out of view” of traditional security controls.
Esposito: It seems like you might be against BYOD?
Jokinen: Companies don’t need to end BYOD policies, but it is crucial that they establish safety policies and procedures. For example, they need to segregate work and play. Company data should be processed only by applications that are vetted and secured by the organization. This may seem challenging when users are on their own devices. Thankfully, mobile device management (MDM) tools exist. MDMs can segregate and secure company data, vet and approve applications, and track and remotely wipe devices of all company-related information.
Esposito: Where can people find more resources for continued education?
Jokinen: Kaspersky Lab offers various resources for maintaining ongoing awareness of threats and incidents in the world of cybersecurity:
- Threatpost is a leading source of information for news about IT, business security, and cybersecurity analysis.
- Securelist provides news, reports, and fascinating research in the cybersecurity industry.
- The Kaspersky Lab threats site is constantly updated with the ever-changing landscape of threats and vulnerabilities in cybersecurity.
- The Cyberthreat real-time map is an interactive tool that visualizes real-time cyberthreats around the world.
- And, of course, Kaspersky Daily, our main blog, has posts relevant for businesses and consumers.