When it comes to defending your organisation, your employees can be your cyber security weakest link or greatest asset.
With many organisations investing heavily in cyber technologies, criminals are recognising that through deceiving staff, they can bypass the most sophisticated defences. By tricking employees through tactics, such as phishing, criminals are proving that a human is the weakest link in security.
So, whilst you may think your organisation is secure using sophisticated computers that don’t make mistakes, people do make mistakes. The good news is that with comprehensive staff training, it is possible to ensure your employees stop being the weakest link in the information security chain.
Why are employees the weakest link in cyber security?
There are a number of reasons why your employees may be behaving in ways that put your organisation at risk, including:
Your employees have a lack of awareness
Inadequate cyber security training typically results in employees that lack awareness of cyber threats. Simple practices, such as using strong passwords and implementing Multi-Factor Authentication, can significantly enhance your organisation’s security posture.
Ensure your staff are aware of the importance of robust passwords, or preferably passphrases. These should include a combination of lower-case and upper-case letters, numbers and other symbols. Furthermore, staff should be made aware of the risks of always using the same password. Once a password is breached, criminals will seek to use it to gain entry to a range of other systems and applications.
Staff should also be aware of Multi-Factor Authentication, which is a critical control that can reduce the risk of a breach, even if passwords have been compromised. Ideally your staff should require three factors to access any system comprising:
- Something they know, e.g., password
- Something they have, e.g., a one-time code sent to their mobile device
- Something they are, e.g., a fingerprint scan
With Multi-Factor Authentication in place, the vast majority of cyber criminals will be prevented from breaching your systems.
Comprehensive awareness training will ensure your staff are equipped with the skills they need to keep your organisation secure.
Your employees may be using unsecured networks
With so many staff now routinely working from home, organisations have effectively extended the corporate network into the residences of all their staff.
All too often staff are using residential wi-fi routers that offer an inferior level of protection compared to enterprise-grade wi-fi routers. These may leave your critical corporate, customer and employee data exposed to breaches.
And don’t assume that using a VPN to access the corporate network will keep you safe. Sophisticated hackers can still penetrate VPNs and remote desktops, particularly if they’ve not been configured correctly.
Another concerning trend is the adoption of BYOD – or Bring Your Own Device. Staff handling corporate data on personal devices can be asking for trouble. Your IT team has very little control over individual staff members’ personal devices. There’s no way to ensure systems are being regularly updated with the latest patches, nor can endpoint protections be managed. Wherever possible, staff should be issued devices by the company for conducting work.
The dangers of human error in cyber security
Human error represents a real danger to your organisation. One simple mistake is all it takes to undermine years of hard work building up your corporate reputation. Customers expect their identity will remain secure when transacting with an organisation. A breach could see you permanently lose customers and market share. In addition, news of a data breach can shake the confidence of shareholders and investors in the senior management, downgrading the value of a company and making capital raising more difficult.
Perhaps most significantly, Boards may be held liable in the event of a serious breach if they have acted negligently and not taken measures to strengthen their organisation’s resilience against such risks.
The Office of the Australian Information Commissioner (OAIC) publishes regular reports detailing serious data breaches. It regularly finds that human error accounts for the second largest cause of data breaches.
In their January 2022 report, 33% of breaches were attributed to human error, compared to 30% during the same time last year. It cites common examples of human error breaches include sending personal information to the wrong recipient via email (54% of human error breaches), unintended release or publication of personal information (34%), and failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.
How to increase awareness of cyber security in your company
Here are a number of ways you can increase cyber security awareness:
Conduct ongoing assessments
Many of you will have heard of penetration testing. That’s where you attempt to breach your network perimeter and application layer in order to identify vulnerabilities that need remediating.
However, have you heard of Social Engineering Penetration Testing?
This is one way to regularly assess your staff. They will be sent simulated phishing emails to see whether they have the required awareness to prevent being deceived into clicking malicious links or opening malicious attachments.
Such assessments should be conducted on an ongoing basis to identify any staff that may need further training.
Make cyber security a part of your company culture
Cyber security isn’t simply about IT. It requires that you align people, process and technology to achieve a mature cyber security posture.
To ensure your people are fully onboard, you need to instill good cyber practices in the company culture. Staff need awareness training that is interactive and engaging. The training needs to incrementally build up their knowledge with tests that are not designed to trick them into failing, but rather seek to give them confidence that they can contribute to their organisation’s security.
Develop a plan everyone is on page with
When developing a cyber security strategy in your organisation, make sure the Board, senior management and department heads are all on board.
Once you have buy-in from the top of the organisation, the rest of the organisation will follow suit.
It’s important that Boards understand they have responsibilities around reducing their organisation’s exposure to cyber risk. Demonstrating how cyber security can be a business enabler by allowing the company to grow in a secure way will help get Senior Management and department heads on board.
Your organisation’s cyber security resilience depends to a great extent on the individuals within your organisation. With the right awareness and training, they will be your first line of defence in protecting you from a range of threats.
To ensure they have the right skills to keep your organisation safe, contact Phriendly Phishing today.