Tuesday, October 10, 2017

It’s coming from INSIDE THE HOUSE: 12 steps for your employees to become cyber-aware

Do you remember the movie When a Stranger Calls?

The movie opens with a babysitter receiving a telephone call from a man who asks, “Have you checked the children?” She dismisses the call as a practical joke, but as they continue, and become more frequent and threatening, she becomes frightened and calls the police. Ultimately, she receives a return call from the police, telling her that the calls are coming from inside the house.

(Cue ominous music)

October is National Cyber Security Awareness Month. And, according to one recent study, employee negligence or other error is the cause of 41 percent of all data breaches. Your data breaches are coming from inside your house. The question is what are you going to do about it.

Here are 12 suggestions to help make your employees cyber-aware.

  1. Safeguard Data Privacy: Employees must understand that your privacy policy is a pledge to your customers/vendors/etc. that you and they will protect their information. Employees should only use data in ways that will keep customer identity and the confidentiality of information secure.

  2. Establish Password Management: A policy mandating complex passwords, changed regularly, is required for any workers who will access corporate resources.

  3. Consider Two-Factor Authentication: Consider requiring multi-factor authentication that requires additional information (i.e., an additional pass-code delivered to a designated secondary device) beyond a password to gain entry. 

  4. Govern Internet Usage: Each organization must decide how employees can and should access the internet, which balances employee productivity against corporate security concerns.

  5. Avoid public and other unsecured wifi: An open wifi system is no different than an unlocked house. Just as you would not leave your house in the morning with the front door wide open, don’t leave your network exposed by using open wifi networks.

  6. Manage Email Usage: Many data breaches result from employee misuse of email, which results in the loss/theft of data or the accidental downloading of viruses, malware, or ransomware. You need standards on the use of emails, message content, encryption, and file retention. Moreover, do not forget to train your employees on how to detect and deflect phishing attempts—a cyber-criminal impersonating a trustworthy source in order to steal credentials, or place malware on a system? Nearly 40 percent of all employees report opening a suspicious email. “When in doubt, throw it out” is a refrain you should drill into your employees’ heads.

  7. Establish an Approval Process for Employee-Owned Mobile Devices: Ownership of smartphones has reached a critical mass. A “Bring Your Own Device” program is no longer an option, but should be required. If employees are going to bring personal devices into the workplace, and use them to connect to your network, you need to deploy reasonable policies to govern their use and protect your network and security (including the ability to wipe clean a lost or stolen device), instead of ignoring the issue or instituting prohibitions that employees will ignore anyway.

  8. Limit removable media and cloud storage: Removable and cloud storage limit your control over the portability of your data. If you need portable data, limit your employees to company-approved solutions that you can monitor and control.

  9. Watch Social Media: All users of social media need to be aware of the risks associated with social media. Social media presents a real risk of corporate breaches of confidentiality. It is easy to tell your employees, “Think before you click.” Yet, 76 percent of the Inc. 500 lack a social media policy for their employees, and 73 percent of all employers conduct no social media training. If you aren’t educating your employees about the risks and benefits of social media, both in and out of the workplace, you are not only missing a golden opportunity, but you also leaving yourself exposed to breaches of confidentiality and other snafus.

  10. Oversee Software Copyright and Licensing: Software usage agreements oblige organizations to adhere to their terms, and you should make employees aware of any software use restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company (some of which could expose the company to viruses, malware, or ransomware).

  11. Terminating employment means terminating access: Employees must be reminded that at the end of their employment, devices must be returned immediately, or, if it’s an employee’s BYO device, it will be wiped clean of all company information.

  12. Report Security Incidents: Finally, all of the above goes out the window if your employees do not know and understand when and how to report a security breach (including lost or stolen devices), and how and when to report malicious viruses, malware, or ransomware in the event it is inadvertently imported. All employees must know how to report security incidents and what to do to mitigate any damage.

Data breaches are not an if issue, but a when issue. You will be breached; the only question is when the breach(es) will occur. While you cannot prevent a data breach from occurring, you can and should train your employees to sure up any knowledge gaps that further opens the risk they inadvertently pose.

On October 31, I am presenting Creating a Corporate Culture of Cybersecurity as part of Law Day at the 2017 Information Security Summit. This week-long event is your one-stop shop for all things cybersecurity. I hope to see you there.