Over the last year the world has become well accustomed with the idea of cyber data breaches. It seems like a new huge data breach has been reported week after week. From Talk Talk to Ashley Madison, with each breach exposing more records than the last.
While these threats are most often initiated by outsiders such as programmers writing malicious code designed to grab corporate data, remove confidential customer information and/or raid company financial data – cyber criminals are too often able to gain access due to employees’ ignorance and/or negligence.
It is therefore vital for every business to educate employees about cybersecurity, to train them before a breach occurs. Below is a list of tips that can help you educate your employees and develop policies that will help mitigate ever-growing cybersecurity risks.
Regularly Talk to Employees
It’s important for companies to include cybersecurity training on a regular basis, explaining the potential impact a cyber incident may have on your operations. Employees need to know their obligations, especially when it comes to mobile data. It’s not enough to require an annual review and signing of an “I have read and understand company IT policies” statement.
Remember Top Management and IT Staff
Top managers are often the target of cyber criminals because of their higher level of access to critical corporate and customer data. This increased access has a much bigger damage/financial payoff for the hackers. IT staff are also more susceptible, given their administrative access over the network.
The Weakest Link
Any network is only as strong as its weakest link. Explain to employees that while your company is making its best effort to secure the company’s infrastructure, it’s critical that employees fully engage and do their part in following company policies. Policies should be sophisticated enough to cover all possible attack vectors.
Companies should have regular, focused sessions with employees to explore different types of cyber attacks. Threats change, new people come on board, and employees get caught up in their day-to-day activities, sometimes losing focus on the security threats presenting themselves. Consider having regular lunch and learn sessions, and encourage employees to use what they learn at home on their own computers.
Warn employees to pay special attention to social engineering ploys they will find in social media, blogs and emails. It’s also important to point out that many cyber incidents begin with a phone call from someone posing as a co-worker asking seemingly innocuous questions. Meanwhile, they are actually gathering information about the company and its operations.
Recognising an Attack
Train employees to recognise an attack. It’s essential that companies have policies in place that assume they’ll be infiltrated. Don’t wait to react. Have a documented remediation plan in place and update or review it frequently. Communicate step-by-step instructions about what employees should do if they believe they’ve witnessed a cyber incident.
Training should include specific rules for email, web browsing, mobile devices and social networks. Don’t forget the basics, such as physically unplugging the machine from the network and notifying the admin of any suspicious emails, activity or lost devices.
Regularly Test Employees
Companies should regularly test their employees’ cybersecurity knowledge and tie the results back into the training curriculum. It’s important to make it fun and/or rewarding, with incentives for prompt responses.
If an incident happens, give employees a heads-up as soon as possible. A lack of transparency or improper handling of a cyber incident may significantly increase the impact of the event. Issue instructions to employees about how to speak to the public and the press about the incident. Have an internal communications plan and PR strategy in place before anything happens.
Consider insurance for cyber incidents
Internet and network exposures are usually excluded from traditional insurance policies. Riskworks, however, works with leading cyber risk insurers to develop cyber risk insurance protection. Ensure you have it covered:
Call Jon Davies from the Riskworks Business Services Cyber Team on 01625 547754 to discuss further.