Developing cybersecurity habits

Nowadays, every user is being repeatedly warned to keep away from suspicious emails, attachments, and ads popping up on the screen and seeking permissions to download a malicious payload. Even after numerous attempts to educate the employees on the norms of cybersecurity, in some cases, we fail to maintain the security of the network. Methods, preaching the norms of cybersecurity should not only be informative but easy to understand by all not tech-savvy workers.

It is very well known that above anything else, individual users are the most important link when it comes to building security perimeter and defending your company from data breaches and other network threats. Developing strong security habits in employees will eventually prove beneficial for the company.

By overcoming communication obstacles between employees of different organizational levels and departments as well as uniting everyone in the company around possible threats, can curate a cyber-resilience set-up that will be very effective. The below section carries a few important guidelines to improve the cybersecurity awareness in your company.

Drill the basics

There are a few basic steps the importance of which must be widely conveyed and effectively practiced in order to keep cyber attacks at bay. Having a strong password policy substantially increases overall security making it difficult for hackers to tamper with the system. Strong passwords should always go in hand with a 2FA. This increases the number of security layers. Please mind that popular 2FA method based on SMS is less effective than using Google Authenticator or other methods.

Another step that can be taken towards cyber security is to limit the data, software and systems usage only to those who really need it. Access rights should be checked on a regular basis. If an employee terminates his work term or changes his role in the company, all the sensitive information that he could access so far should be made unavailable to him.

Some specific software should be granted limited access. Employees should not be able to download executable files or some types of scripts. Protecting your company by introducing software whitelisting proved advantageous in many situations.

Prepare engaging security training programs and run them on an ongoing basis

Plenty of people do not like to study. For many of them, it resembles the school days when they had to learn things they were not interested in, all presented in a boring and non-engaging way. There are no excuses for running cybersecurity training in a dull manner resembling that negative experience from the past.

In one of my previous jobs, the mandatory 4 weeks security training program was given as a PowerPoint presentation. IT guys presented a short test at the end. And what do you think happened? Just like in school, one clever employee completed the test and forwarded the answers to all of us. At the end of the day, people learned nothing. Most of us did not even read those slides.

And this is the kind of security training that is the most common in organizations of different sizes. If your company really wants to create cybersecurity culture, it should try to make the programs interactive and engaging. Real-life examples work very well. If possible, use examples from your partners or companies working in the same niche. But do not stop there. Explain the importance of each employee’s role and how he helps the organization work smoothly.

Try to make it fun. Run a test intrusion campaign (with harmless viruses) and launch a competition to determine who can spot a spear phishing message or malicious website first.

Make it ongoing. Do not impose several full weeks of training once a year. Make it your weekly agenda and remind workers to always be vigilant. It is also important to reward people for reporting threats or bugs.

Customize security training for each department. Not all workers face the same cyber threats. Build the room for dialogues between different departments for them to share their experiences.

Keep a track of the employees post-training results

Organizing quirky exercise sessions and small tests at regular intervals will keep the employees engaged and fuel up their interest in achieving better results. The tests should be conducted not to mark one employee higher than the other but to make sure that information that is given during the learning sessions smoothly seep into everybody’s practices.

Try to ease the threat reporting process

Sales, accounting, and other departments think that they stand apart from the security team until a serious cyber threat pops up or they have made a mistake. The immediate necessity, in this case, is to build quick intradepartmental communication. Employees should feel comfortable reporting threats. They should not be afraid to do it. The IT and security personnel should be considered as friends who always eager to lend a helping hand.

Conclusion

Strengthening your weakest link (humans) is the most obvious advantage of developing a strong cybersecurity culture in the company. Continues cybersecurity awareness training may be expensive or sometimes inconvenient but it will make employees more independent and self-reliant. If you do not implement these measures from the beginning, you face very bad consequences associated with data breaches. At the same time, maintaining a brawny cybersecurity culture will automatically strengthen the customer’s trust towards your brand as they will be assured that their data and confidential information is taken seriously.

Avatar
About the Author

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Leave a Reply

Your email address will not be published. Required fields are marked *