Cyber Essentials #2 – Your Team & Users – The Human Element
As users of your organization’s digital hardware and systems, employees are essential part of a culture of safe digital content use. And we’re talking about both advanced users, such as your security team, and end-users who want to get things done quickly using digital tools. Ultimately, the organization is as strong as its weakest link, and the human error, often mentioned by information security practitioners, often determines the success of the entire attack.
As responsible for IT security, you can consider different ways to divide the people around your organization. And most of all – taking into account the current popularity of supply-chain attacks (reaching the organization by infecting its suppliers) – you should not limit the human element of IT security only to your company’s employees.
We propose the following division:
- Team – Your employees, the first element of response and the most informed users. are often the first line of defense of your organization. Investing in personnel reduces vulnerability and fuels an ownership culture. They must be prepared to recognize cybersecurity threats such as phishing scams, password extortion, lack of proper software patches, or the use of outdated systems. Additionally, they must be trained in appropriate incident response and communication.
- Managers – these are users, but those who, without being aware of the need to ensure the security of data and systems, can be particularly burdensome. Think of them as “cybersecurity project sponsors” in your company. Users – anyone who interacts with your company’s digital assets. Their awareness is crucial – because there are too many of them to spot all incidents. Suppliers – people who have access to internal systems due to business ties with your organization.
- Users – anyone who interacts with your company’s digital assets. Their awareness is crucial – because there are too many of them to spot all incidents.
- Suppliers – people who have access to internal systems due to business ties with your organization.
Fortunately, there are many resources and methods that can be used to develop cybersecurity knowledge and awareness in the above groups.
We will list them below:
- Develop a culture of awareness to encourage employees to make good online choices.
- identify the behavior you want to change and develop a cybersecurity strategy targeting your cyber expectations.
- Determine what success looks like using guidelines and principles – include and remind users of IT security policies.
- Constantly enhance cyber hygiene as with other workplace hygiene (e.g. hand washing, professionalism, etc.).
- Create incentives structures that promote good habits (e.g. recognition for good behavior, loss of privileges for persistent reckless behavior).
Useful Resources:
https://gcatoolkit.org/smallbusiness/ – A set of guidelines for raising awareness of IT security. Contrary to the link name – not only for small businesses.
- Bet on educating employees about attacks such as phishing and attacks on corporate e-mail. Employees should be able to identify trademarks of malicious emails.
- Notify employees about phishing and scam tactics, and include the latest changes in regular training.
- Remember regular updates and reminders keep everyone informed about current threats and how to deal with them if encountered
Make sure employees know how and to whom to report suspicious emails or possible phishing attempts !!!
Useful Resources:
CISA Cybersecurity Tips: https://us-cert.cisa.gov/ncas/tips/ST04-014
Identify and use available training resources. Organizations should know if they have already own training resources that are simply underutilized, or if they need to be sought outside the organization to find them. Training your staff and promoting cyber-awareness doesn’t mean you have to create training materials from scratch.Many professional organizations, industry associations and scientific institutions as well as private sector and government networks provide ready-to-use cybersecurity training resources at no cost.Involve your organization’s HR department to determine which resources are available for your industry.
Useful Resources:
NIST Workforce Management Guidebook
Stay aware of current cybersecurity events. Be proactive alert staff to hazards that the organization may encounter. Stay alert:
- What types of cyber attacks are experienced by other organizations or people in my industry?
- What tactics helped related organizations reduce injuries?
- What do my employees need to know to help protect the organization and each other?
- Are there any urgent threats at national level that my employees need to be aware of?
Don’t forget to ask your cybersecurity system integrator about it – the knowledge gained during the implementation, translated into practical tips, can be invaluable!