If Hollywood represented reality, cyber security insider threats would come from super-sophisticated computer geniuses working for super-villains, plotting the destruction of the world as we know it. In actual fact, the biggest threat companies face probably comes from inside their organisation and may come in the form of perfectly well-meaning staff, who act with the best of intentions.
Here are three tips to help with managing this threat.
Resources do not necessarily mean internal resources, in fact for a lot of SMEs, outsourcing to third-party vendors is usually far and away the best choice, since good cyber security companies offer extensive expertise. Having resources in place does, however, mean that you have sufficient cover – in whatever form that takes – and it means that you have someone in the company who takes responsibility for online safety and cyber security issues.
A saying common amongst teachers is “relevance + repetition = learning”, and employers have to take that saying to heart if they want to get the cybersecurity message through to their employees.
Relevance essentially means the training has to make meaningful sense to employees. It must answer the question “what’s in it for me?” so you need to show employees how their behaviour can either protect their company or put it at risk, using examples that actually fit the context of their job.
This means that, unless you are a very small organisation, you may well need to organise different training courses for different groups of staff and tailor each one to their needs (and ideally their wants).
In terms of repetition, this means ensuring your employees actively apply what they learn in their day to day work environments.
When your staff complete a high-quality (read relevant) training course, everything will be fresh in their mind. However, if they never have to use their training, it will slip out of their memory and even if they do use it, it’s very easy to slip into bad habits, so periodic refresher courses are generally a good idea, particularly in a fast-moving world such as IT in which the nature and extent of threats is constantly changing.
IT security is really a niche of security in general and, as such, is of relevance to all staff, particularly, but not exclusively, those who have access to IT systems in any way.
Obviously, the more access (and more sensitive access) staff have, the more they need to be aware of IT security and their responsibilities with regard to it, but even staff with minimal IT access can still provide an unwitting entry route for hackers and even staff without access to IT systems themselves could compromise them through being lax with regards to physical security.
Making sure your employees are aware of the many tactics cyber criminals may use to gain access to your systems will help them to stay alert and aware of the risks. This can even include strategies like cyber attackers coming into the business premises and persuading security or reception staff that they are there to maintain the computer or alarm systems, gaining physical access due to bluffing persuasively. Working with an IT Support provider, you could explore tailored scenario planning for your business.