In light of National Cybersecurity Awareness Month, we explore a fundamental aspect of security awareness: the value of employee education within a security policy.
The rapid pace of technological advances combined with the proliferation of cybercrime is creating a paradigm shift within IT. From enterprises to consumers, there is no shortage of technology designed to make your life even easier or your business even more cutting-edge. As technology evolves and users migrate to the next best thing, cybercriminals follow suit, seeking new attack vectors within the latest trends. This pattern puts a great deal of pressure on traditional security teams to update their policies and processes. But just when an organization has put a new technology in place and adopted its processes, it may already be obsolete. And the cycle continues.
Organizations struggling to keep up realize they can't simply opt-out; keeping their infrastructure unchanged means their business loses out on the benefits of advanced technology like cloud, containers, mobile devices or IoT. How can organizations keep up with the rapid pace of technology while ensuring the security of their systems? It starts with awareness: security policy implementation and employee education.
Most organizations are aware that having a security policy in place is the first step to safeguarding their network. However, many struggle to understand where to begin to write an effective, actionable security policy that can be easily revised to meet the needs of the evolving landscape. Whether an organization chooses to adapt an existing policy or write their own from scratch, one thing to keep in mind is that the most common cause of a data breach is human error, often in the form of unwitting employees.
Where do employees fit into the policy?
Cybercriminals will always take the path of least resistance, targeting the weakest link in an organization's security infrastructure – most often, unsuspecting employees. One of the most popular techniques attackers will use to trick employees are phishing attacks. In fact, the Anti-Phishing Working Group (APWG) recently reported that the number of phishing websites increased 250% from the last quarter of 2015 through the first quarter of 2016. Unfortunately, attackers continue to propagate these threats because they know they will work.
The most fundamental – yet often overlooked – way to avoid a data breach caused by human error is to properly train employees on security best practices, and it begins with a security policy. This can take the form of enforcing password guidelines or cautioning on the dangers of accessing corporate data over public Wi-Fi. Additionally, as more and more employees use mobile devices for corporate purposes, they should be armed with guidelines for effective mobile security.
Going beyond the basics, empower employees with knowledge about the latest threats and common tricks used by cybercriminals. Would employees recognize the difference between a phishing email and an authentic email? How likely are they to click on links from unknown senders? If employees have some knowledge on the threat landscape, combined with a firm grasp on best practices, there will be greater adoption of those best practices.
There is no magic security wand to instantly solve all your IT concerns. However, implementing the right policies that include an employee training program is essential to securing your network. National Cybersecurity Awareness Month is a good time to assess your security posture, ensuring that your policy is bulletproof and your employees are security-savvy.