Blog / User Awareness is a big deal in cyber security
One thing you can be sure of when it comes to criminals is that they’ll always target the weakest link they can find. You can have the best security system, alarms, bars on your windows and man-traps on your building, but if your employees are clueless about your security then all that will quickly become worthless. Most employees are honest and good intentioned, but that also means that more often than not it’s the people who are often the weakest link.
The same thing is true when it comes to cyber security. Web filtering, anti-malware software, and intrusion detection are great but if employees don’t know why they’re important to your organization and how they work then your own people can easily render your cyber security useless.
Let’s go back to physical security for another example and talk about the man trap. If you’re out and about, chances are you go through at least one every week without even realizing it. Assuming you know what a man trap is to begin with.
A man trap is just two sets of doors on the way into a building, with one set in front of the other. Rather than unlocking one door to get into a secure building, you need to unlock two. That second door allows entrants time to ensure they are alone before proceeding. You’ve also likely seen how bad actors can still circumvent the trap; they just piggy back on someone else, usually by pretending they lost their keys or something similar. The doors can’t (realistically) be defeated physically, so the crooks go after the people instead.
The same is true for cyber attacks. If there’s an actual vulnerability that allows an attacker access, they will exploit it. Think back a few months to the issue with Exchange and how quickly attackers started exploiting it. But without that vulnerability, the next weakest link is the people. Phishing scams are a good example. They’re built to bypass spam filtering, but they attack the end user by trying to trick them into exposing credentials. Most successful attacks that don’t exploit some kind of vulnerability in the equipment are designed to attack people.
So how do you go about raising your people’s awareness of cyber security? Well, one option is to train them. You can invest in an online class or course for employees to attend, focusing on security topics. While it’s effective, it’s also expensive and not a one-off. You’ll need to regularly repeat the courses with new hires and as material changes. It becomes an ongoing expense.
There is another way that’s less expensive and not as good, but still effective enough. Make sure security directives come from the top and are properly enforced. Acceptable Use Policies cover things like personal use of company computers, mobile devices, the use of social media, and so on. As an organization you need to openly acknowledge that electronic threats are a reality, and put in place safeguards to help address them. You also need to inform your employees about these policies, and you’ll need tools to enforce them. Ensuring your workforce is aware of the security that’s in place will help improve their overall security awareness.
People often make the mistake of thinking that cyber security is exclusively IT’s problem, but a lot of the responsibility lies with the people using the equipment. Just as traffic laws are meant to keep people safe on the roads, everyone needs to follow the rules when using the computers. That means it’s up to the organization to define what those rules are and educate everyone on them.
Shakespeare’s “Love’s Labour’s Lost” contains the quote for this newsletter, “A jest’s prosperity lies in the ear Of him that hears it, never in the tongue Of him that makes it”
If you have any questions about employee cyber security training, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.
