This Cybersecurity Month, Cultivate a Security Culture at Work

If you work in IT, the idea of a data breach is probably a lot spookier than some ghost invading the data center. October is Cybersecurity Month in the United States, and organizations like the FBI, the National Cyber Security Alliance, Sophos, and others are promoting secure digital practices for home users and businesses. It’s the perfect time to reevaluate your approach to cybersecurity and make sure you’re cultivating a culture of cybersecurity.

With ransomware continuing to spread at an ever more rapid clip and the cost of IT system downtime hitting over $1 million for the average enterprise, you can’t afford to lose productivity to viruses, malware, or stolen intellectual property. Here are some quick tips to help foster secure digital practices in your workplace.

1) Don’t fearmonger, but make the threat real

You don’t want to get overly scary, even if it is the Halloween season. Workers are more likely to make fun of you for being dramatic if you’re too heavy handed with the examples of cyber threats. But you do need to make sure employees understand how real digital threats can be.

This will probably involve getting some kind of higher up support from executives or the C-suite, as the weight of their advice is more than a communication from “someone in the IT department.”

Point out the overall cost to businesses (which can be in the millions for large enterprises, and the hundreds of thousands for small businesses). Stress different attack angles for different departments – showing your finance team these overall costs, or how e-mail spoofing is used to secure wire transfers, while you instead show lower level employees phishing or social engineering attacks, like leaving a preloaded USB stick around the office waiting to be plugged in by an unsuspecting mark.

2) Keep awareness high

Once employees know about the risks, they’re likely to go ahead and forget about them or ignore them for the sake of convenience. Writing passwords down and keeping them short is easier, after all!

Leverage your internal communications team to keep awareness around cybersecurity practices high with regular communications, notifications about breaches in your industry, and public announcements via posters, e-mail, or meetings. When a major zero day vulnerability comes out, or just periodically throughout the year, remind everyone they should be updating their software regularly.

Don’t just broadcast, though. Get employees involved with competitions, mandatory trainings with rewards, or public call outs, either for screw ups or congratulations.

3) Train employees about the most common threats

Phishing, malware, ransomware, and social engineering are real possibilities in your data center or even in a typical office. Employees need to be trained to use strong passwords, avoid clicking on suspicious e-mails, and to confirm identities before divulging sensitive information or granting physical or digital access.

Start with new employee training materials and a company-wide meeting led by your CTO, CSO, or other high level manager. Add reminders on login to new services. Set strong password requirements and automatically force passwords to expire – but make sure users know why they have to adhere to these requirements.

Keep the concepts simple and easy to implement for users. Explain the importance of two factor authentication. License or preinstall a password manager for each employee. Set automatic updates on all company-owned devices, or explain why updates are vital for antivirus tools and operating systems.

The most common threats can be caught with a combination of strong passwords, regular patching and updates, an antivirus/antimalware tool, limiting access to sensitive information, and regular monitoring.

4) Test and measure your efforts

An example above of making the threat real involves leaving a USB stick around the office that is preloaded with software. This is one way to mimic a real attack. Of course you don’t want to install real malware on someone’s work machine, but having a fun image pop up, or even just reporting that the device has been plugged in to a central record, can be one way to test if your training is actually working.

Periodic tests for employees are another way to check that your training has penetrated memory and daily practice.

Encouraging reporting of suspicious activity by employees can give you further insight. Include a formal reporting process as part of your training and cybersecurity practices, then see if you receive more reports after six months.

While the initial effort might seem daunting, laying the groundwork for strong cybersecurity starts with your employees. They're on the front lines for most attacks, which are less likely to come via sneaking in the digital backdoor than by coming in through the front in sheep's clothing.