Don’t forget the human Firewall!
Every day, thousands of companies get hit by a cyberattack. Some of these attacks are so advanced that they are hard to avoid, however, 95% of cyberattacks nowadays are done with automized tools, and good cyber hygiene could’ve prevented the attack.
Pointing fingers
Almost all environments we visit, we see a lot of thought is put in on a technical level about how to prevent someone from outside coming in. But quite often we see that no one thinks about the human side of it all. And when accidents happen people start pointing fingers. The IT department puts their head in their hands and sighs “How could that user click on this sketchy link?!” and the users complain that “IT should’ve prevented this from happening!”
This is, of course, not a very constructive attitude on both sides, but the discussion is as old as the first IT department. It’s important to have adequate attention for these issues, because the current attacks are no longer limited to shutting down an email server or workstations. Personnel and other business-critical data is being stolen on a large scale and misused to attack customers or other relations.
The cyber security risks are on a steady rise, and our mantra at OpenSight has always been: “Security is teamwork.” To us, the solution is in teamwork between users and IT. Both have a responsibility to protect what is most valuable to the organization.
Awareness Training
It’s essential that everyone inside the organization is aware of the risks surrounding the usage of digital systems. There is a reason we mention ‘digital systems’, because phones, tablets and IoT devices are often overlooked when talking about cyber security. Everyone, from CEO to coffee lady, has a role in information security. The level of training must be related to your position and the associated risks. Someone from the finance department will need to be trained a bit more in CEO fraud and someone from the IT department more in social engineering.
Training employees makes a significant difference in the security level of organizations, especially if this is also combined with repeated attention to the internal procedures regarding things like passwords, confidential information, and the way of dealing with equipment. Pay particular attention to properly explaining why procedures are the way they are. This is then reinforced by the online training programs that improve general knowledge and awareness.
Incident simulation
Another important aspect is simulation of attacks through phishing campaigns, social engineering, and penetration tests. In this blog we only dig into the first topic, the latter two will be discussed in the future.
If we want to measure the effectiveness of awareness training and the internal sharing of knowledge, a phishing campaign is a strong tool. Especially if this happens automatically and with a reasonable frequency. Once or twice a month is not excessive, the goal is to keep people alert. You can also attach training goals to the results of these campaigns. This works best in practice and ensures an intrinsic behavioural change.
Please note that this must remain a positive stimulation. It’s not about finger pointing, as mentioned before! It’s about helping people become more aware of, for example, how to distinguish a phishing email from a normal email. And when in doubt, report it!
You can also set up a silent campaign where you try to determine whether people report it in time after an incident has occurred.
Safe behaviour within organisations
With the above in mind, we from OpenSight like to share a short step-by-step with you:
Step 1: Set up clear procedures that describe what behaviour is expected of everyone and make sure everyone is aware of it. You can use internal knowledge sessions for this.
Step 2: Create space for dialogue about this procedure so that you can understand in which cases the procedures are not or cannot be followed properly.
Step 3: Organize an awareness program that specifically addresses the tasks of the various functions and pays attention to this. Try to stimulate this internally by making it fun, for example by adding a competitive element.
Step 4: Measure behaviour frequently and respond to previous results, trends and internal feedback.
Step 5: Lead by example as management. If the CEO hasn’t changed his passwords in three years but tries to convince his employees to chance their passwords every month, he’s not very credible.
If you would like more information about awareness training as a result of this blog, please do not hesitate to contact us on:
