Most companies have invested significantly in technology to protect their systems and data from hackers. But what’s often overlooked in cybersecurity—the human element—is just as dangerous, if not more dangerous.
IBM reported in 2014 that human error is a contributing factor in more than 95 percent of security incidents investigated. The computing giant has also reported that some 60 percent of attacks are carried out by insiders. Recent massive attacks like WannaCry and Petya were linked to poor decisions from employees and other insiders.
The human element is just beginning to get broader attention. It was the focus of a two-day tutorial at the recent RSA conference in San Francisco, and it’s been the subject of much discussion lately from researchers and writers at Harvard Business Review, Duke University and the National Institute of Standards and Technology (NIST), among many other notable organizations.
If your organization has all its eggs in the technology basket while ignoring the risks your own employees present, the good news is it’s not too late to take action. Follow these tips and strategies to boost the effectiveness of your cybersecurity and reduce the risk of insider threats.
Launch A Security Awareness Program
Strong cybersecurity policies mean very little if employees aren’t aware of them or don’t fully understand them. All companies should create and maintain a comprehensive cybersecurity awareness program that includes regular education sessions and compliance audits. In order to change behaviors and instill safe computer use practices, the education and awareness program needs to robust and ongoing, not a one-time deal.
This doesn’t have to come at a huge cost—or any cost. Technology vendors like ESET offer free online cybersecurity training for employees, and there are countless online resources that offers tips and advice for how to create a strong awareness program.
Some great starting resources include:
- CSO: 7 Elements of a Successful Security Awareness Program
- Dark Reading: How to Build a Strong Security Awareness Program
- Infosec Institute: The Components of Top Security Awareness Programs
If you have the budget for it, there are also very intensive online courses from organizations like the SANS Institute on how to build and maintain a strong cybersecurity awareness program.
Teach Your Employees to Think Like Hackers
Traditional cybersecurity tactics like requiring strong passwords, mandating regular software updates and blocking certain websites are important, but they’re not enough. To create a strong cybersecurity culture, forward-thinking companies are teaching their employees to think like hackers. The bad guys are creative, resourceful and perceptive, so your staff has to be too.
- Encouraging employees to participate in “hackathons”—which are typically a training tool for coders—to teach them what hacking is really about and help them understand how attacks occur.
- When a major breach occurs in your industry, tasking employees with researching the causes and analyzing what could have been done to prevent it.
- Requiring employees to team up and work across departments to solve cybersecurity challenges, bringing fresh perspectives to your IT team and boosting cybersecurity awareness throughout the organization.
The more your employees know about how breaches occur, the better equipped they are to prevent them. Employees that are informed and well aware of the risks are also more likely to take ownership of strong cybersecurity, eliminating the “it’s not my problem” type of apathy many organizations see.
Monitor Employee Activity
What you don’t know about employee behavior can be dangerous. Even with the strongest awareness and training programs in place, it’s difficult to assess whether your employees are sticking to what they’ve learned without some type of employee monitoring or tracking software in place.
Employee monitoring software alerts you when any type of risky behavior takes place, whether that’s emailing confidential data, printing it, saving it to a USB drive, or even attempting to delete important files. Set your own specific rules and alerts to identify and put a stop to any risky behavior before it causes damage.
Monitoring software, which can also be used to track employee productivity, can drastically reduce the risk of insider threats from employees, partners or contractors, whether the actions are accidental or intentional. The software is typically affordable, even on a small business budget.