Are Employees Your Weakest Link When It Comes To Security?

In security, the “human factor” is the bit we can’t account for.  Your technology could have every fail-safe, every safety feature and yet a lack of employee education could instantly compromise all of that.

So just how much of a threat are your employees?  Well, when IBM carried out the 2016 Cyber Security Intelligence Index, it found 60% of all attacks were carried out by insiders.  It’s not just ineptitude or human error either.  Cyber crime is a huge growth area and cyber criminals aren’t just lingering in a locked room on the dark web – they could be suited and booted and sitting right there in your office.

There are so many types of cyber crimes that threaten businesses.  From an activist who deliberately leaks data, to a disgruntled employee who sells a story to the press – you also need to be aware of malicious employees working with hackers or fraudsters too, supplying passwords, sensitive data or releasing malware into your system.  The human factor in all of this is unpredictable, after all.

So how can you turn your biggest threat into your biggest opportunity?

By putting security training at the heart of business development among your employees, and effectively training them to fight against an attack.  It's no easy feat but put yourself in your employees’ shoes: isn’t it much nicer to be invested in, trusted and involved in the security of your organisation?

My advice, don’t perceive employees as a threat – educate them about how they can become a “shield” against cyber crime. If you’re unsure where to start here are three easy ways to get started:

Start the process from the top down: The lines of communication need to be as strong between the security department and the management board as they are between IT and employees. Make briefings a diarised appointment and ensure management are fully briefed on the risks facing your organisation , the potential implications, and how employees can help be part of the solution.  Leading by example cannot be underestimated, so people will be inspired to take security seriously if they see the management board doing so too.

Encrypt everything: Use two factor authentication as standard, and put users into security groups according to their ability and expertise.  A one size approach doesn’t fit all in training terms so it’s important those with a better understanding aren’t talked down to, and those with more to learn are given the tools they need to understand why taking an active role in cyber security is so important.

Talk in terms of “shield” not “threat”: Be positive right from the start and don’t talk down to employees - you should have faith in them, and encourage them to take an interested in shielding the business from threats.  Yes, the risks are real, but inspiring staff is much more successful than demeaning them. You can incentivise through rewards and create ambassadors to promote your goals for you – stakeholder management is a great technique to use.
Teaching your employees to be more cyber aware is a skill for life, so make the training relatable to them and their everyday lives.  If people believe learning something new is good not only for you, as their employer, but for them, and their families, you’ll get a serious level of buy in and find your employees can quite easily become your biggest asset.

Jane Frankland is a cyber security expert and Managing Director of Cyber Security Capital, which helps cyber security professionals to develop their careers or build their businesses. She is passionate about helping to increase the numbers of women in cyber security and has authored a book - In Security: How a failure to attract and retain women in cyber security is making us all less safe.

First pubished on Dropbox Business Blog:

 

 

« London Conference: Protecting Critical Infrastructure
Trump Administration's Policy On Cybersecurity »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Exec

Cyber Exec

Cyber Exec is an executive search firm dedicated to global talent acquisition in Cyber Security, Information Technology, Defense...

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

Cyberens

Cyberens

Cyberens provide cybersecurity consulting services in IT sectors relating to defense and space, banking, industrial control systems and IoT.

Accel

Accel

Accel is a leading venture capital firm that invests in people and their companies from the earliest days through all phases of private company growth. Areas of focus include cybersecurity.

Stamus Networks

Stamus Networks

Stamus Networks offers Scirius Security Platform solutions that marry real-time network traffic data with enhanced Suricata intrusion detection (IDS) and an advanced analytics engine.

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

RapidScale

RapidScale

RapidScale’s managed cloud solutions provide reliable, innovative, and secure services, all complete with white-glove service and full management options.

Cybolt

Cybolt

Cybolt helps companies, organizations, and governments manage digital risks and live in an environment of confidence and certainty.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.

Infinipoint

Infinipoint

Infinipoint pioneers the first Device-Identity-as-a-Service (DIaaS) solution, addressing Zero Trust device access and enabling enterprises of all sizes to automate cyber hygiene.

Singtel Innov8

Singtel Innov8

Singtel Innov8, the venture capital arm of the Singtel Group, invests in and partners with innovative technology start-ups globally.

Ampsight

Ampsight

Ampsight specializes in enabling cloud integration, securing data, and navigating complications that drive critical-mission success.

RAH Infotech

RAH Infotech

RAH Infotech is India’s leading value added distributor and solutions provider in the Network and Security domain. We are specialists in Enterprise and App Security and Application Delivery.

SurgeONE.ai

SurgeONE.ai

SurgeONE.ai is the first AI-driven platform built to transform compliance, cybersecurity, and data across financial services—powered by experts, guided by insight.

Secure Traces

Secure Traces

Secure Traces is a unique cyber security services provider with an impeccable track record of delivering outstanding services.