Employees may be one of the biggest security risks, but also an organisation’s major strengths. Many firms don’t realise that employees can help mitigate risk.
Familiar names such as CryptoLocker, DDoS, botnet attacks and ransomware are now commonplace in the common world. Manuja Wijesekera, pre-sales solutions architect - Fortinet, Wavelink, says it’s about taking a multi-dimensional approach to protecting organisations.
“Given the explosion of hacking related security outbreaks in the past couple of years and the damage it can do to organisations, it is becoming more important than ever to remember that no matter what technology or security measure is in place, more often than not employees are the first line of defence,” Wijesekera explains.
He says risks can come in the form of mistakes, being unable to identify a suspicious link or email, connecting unsecure devices to the network, or even insider threats, this should all be considered when coming up with a mitigation strategy.
“Employee mistakes are a common cause for security breaches and hackers are using the emotional aspect when trying to entice us to click on a link or open an infected file, hence the need for organisations to foster an environment where an employee can ask questions without being reprimanded or ask for help if they think they’ve made a mistake that might have put sensitive data at risk.”
He says that organisations should make employee engagement as part of their workplace culture, from the onboarding and induction process, as well as regular exercises and awareness campaigns throughout the year. Those in charge of security should also be certified.
That may not be so easy for small- and medium-size businesses. They don’t have the dedicated resources, and are ‘setting themselves up for a breach’.
“The other issue is that many smaller organisations are not willing to invest at all until they have suffered a breach, which is often too late. Their network may even have already been penetrated without them knowing it because they don’t have the systems in place to track it,” Wijesekera explains.
He says that it’s less of an issue because security involves CEOs and other high-level executives, especially when they are being held accountable for protecting sensitive information.
“Ultimately, all organisations need to look at making security part of their overall culture, and move away from the notion that having a single security device at the edge will make them secure. They should look for solutions and partners that can offer a fabric of security technologies with the importance given to technologies that are able to share intelligence. They also need to have a good governance program in place to maintain and monitor security in real time and an awareness program that includes all employees,” Wijesekera concludes.