Story image

Cybersecurity starts with training your employees

12 Jul 17

The Petya ransomware attack that hit computers around the world recently, the second in two months, is yet another reminder that computers play key roles in most enterprises, and that it does not take much to disable those computers. Irrespective of how robust your information security systems are, users are still the weakest link in your company's cybersecurity.

It’s a business cliché that staff are a company’s greatest asset and potentially its greatest risk. And while that has always been true in the area of customer relations, it’s now equally applicable to data security. Users are the first line of defence against cyber-attack, and also – potentially – a business’s most glaring vulnerability. People are just a very large attack surface but organizations can reduce the attack surfaces by implementing an effective organisation wide security awareness program.

Untrained employees are the linchpins for most data breaches. Those who attack businesses have no wish to spend a lot of time and money defeating its technology. Instead they would prefer to infect the user with ransomware, their favourite bait – “spray & pray” phishing attacks, which involves spamming with email that carries malicious content.

It has become increasingly important to embed ICT security awareness at all levels of an organisation. While awareness is the key, there also needs to be a balance struck. Employees need to know the risk their online activities pose and how to manage it, without being rendered unproductive by overly complex procedures.

Computer security training isn’t just a matter of giving employees information.  Knowing best practices and organization policy is important, but it helps only if employees understand that they make a difference and should feel they are part of the organizations information security. The truth is that user ignorance to security make most malware attacks possible, and that employees who are aware can avoid most of the attacks.

Information Security Awareness should be part of an organization culture, business leaders need to make sure their awareness programs cover all the important aspects of cybersecurity which ensure that their employees are well trained to tackle the current security threats. At the end of an education and awareness initiative, all users should be able to understand:

How to identify security threats?

The user should be able to identify the difference between normal emails and malicious email. They should understand best practice in internet usage and understand the organization's security policies.

Response to the security incidents 

The user must be aware of the security incident response procedure. Should they suspect a security incident in progress, they should be able to follow the security incident management procedure to curtail the incident from spreading across the organization.

As they say people are the weakest link in the information security chain, hence employee involvement is crucial for the success of an organization’s security strategy. There is often a disconnect between what employees know they should do security-wise and what they actually do in practice.  Organizations which continue to implement and reinforce effective awareness programs, have seen reduced number of security incidents, in turn maintaining better uptimes for the IT environment supporting the business processes, helping the organizations to upkeep their reputation resulting in better financial rewards.

Article by Mohammed Basheer, IT security practice head, ISYX Technologies.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.