October is National Cybersecurity Awareness Month, when the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between government and industry to raise cybersecurity awareness.
This year’s campaign theme — “See Yourself in Cyber” — focuses on the “people” part of cybersecurity. That makes sense on many levels.
First, human error continues to be the leading cause of cybersecurity breaches. Nearly 60% of organizations experienced data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.
Then there’s the information noted in Verizon's latest Data Breach Incident Report (VZ DBIR): 82 percent of breaches involved a "human element,” in the form of stolen credentials, phishing, misuse, or user error. And while the internet and computer technology are frequently used in cybercrime, the perpetrators behind that crime are people.
People as Your Defense Team
Despite their role in cybersecurity incidents and threats, people can also be your front line of defense. In addition to the information and resources provided on the Cybersecurity and Infrastructure Security Agency (CISA) website, consider the following to minimize human-generated cyber incidents and increase overall IT security.
Build In-house Security Expertise
Develop in-house security expertise. If you don’t have the budget for hiring security experts, an IT staff member can be designated to take on the role of “security expert” in addition to his or her other responsibilities. Just make sure your IT budget covers ongoing security training to help ensure this individual can successfully fulfill the role.
If you do hire IT security professionals, keep in mind that you’re competing for what has become a shrinking candidate pool. Be prepared to make an investment – and not just at the hiring stage.
The desire for continued personal development and growth is a common trait among high performers in all disciplines, IT security included. Unchallenged or undervalued employees can result in high turnover. Budget for skills and career development for the security professionals you hire to keep them at the forefront of their professions, on top of emerging threats, and satisfied.
Augment In-house Expertise
Supplement in-house IT security with assistance from third-party companies that specialize in IT security. They’re typically on the frontline of the industry and have the most current knowledge and access to the most up-to-date tools. Their expertise can be invaluable.
Opting for managed security solutions from a third-party company also may be a good idea. These services are usually built on leading-edge technologies, offered for a monthly fee, and covered by service-level agreements. The use of these services can also free up your staff from some of their IT security responsibilities. Conducting an audit of your existing IT security can help you identify gaps that managed security services can fill.
Educate Your Staff
Even the most advanced security technologies won’t keep your organization’s data safe if your employees keep clicking on suspicious links, sharing their passwords, or engaging in other risky behaviors. Your tried and true in-office security measures may also not be sufficient to deal with the out-of-office risks that come from the increase in employees working from home.
That’s why staff training is more critical than ever. In addition to your company’s security policies, cover best practices for computer and network use – in the office and at home, as well as mobile device usage. Include a testing component to help ensure employees understand what they learn.
Keep employees apprised of common and emerging phishing ploys and other threats. Consider specialized learning modules for specific employee groups, such as those whose positions require knowledge of specific regulations such as HIPAA, PCI or GDPR. Don’t let training be a one-time thing. Conduct it frequently to keep information security top of mind for employees.
While employees must have the tools and information to perform critical business functions, they probably don’t need access to everything. The same is true when it comes to contractors and vendors. Only provide access to what’s actually needed for people to do their jobs. This can help minimize opportunities for negligent or malicious people-generated data breaches.
Stay on top of who has access to what and why, and make updates when employees change positions within the company or leave the company.
Implement Smart Security Policies
Make it easier for employees at all levels throughout your organization to use IT services and mitigate potential risks safely. Implement strict password and account management policies and practices. Limit or restrict USB access to computers. Consider blocking access to social media from company devices.
Keep applications up to date with regular patches to lessen the chance of employees falling prey to software vulnerabilities. Employ a multi-layer, defense-in-depth strategy that provides protection at the perimeter, application, endpoint, and physical security layer. If one mechanism fails, another is available to thwart an attack.
Strengthen endpoint protection with a proactive Endpoint Detection and Response solution. It should incorporate continuous monitoring and advanced technologies such as machine learning to protect against, detect and quickly respond to ever-changing and increasingly complex threats.
The more you can do to help employees work safely, the safer your company’s data and IT assets will be.
US Signal Has You Covered
For more information on IT security – including the people side, contact US Signal. From managed security services to IT security assessments, we can help you strengthen your organization’s security posture and resources. Contact us by calling (866) 274-4625 or emailing [email protected].