When addressing cyber security threats, human error is a factor that is often overlooked. However, according to the 2014 IBM Cyber Security Intelligence Index, over 95% of all incidents investigated involved human error. Although human error can never be eliminated entirely, incidents can be reduced by establishing clear cyber security guidelines and providing regular employee trainings.
The first step in reducing the role of human error in cyber security incidents is to establish a cyber security policy for your employees that states the do’s and don’ts of cyber security. To help you get started, here is a list of ten points to include in your policy:
1. Emphasize the Importance of Cyber Security
Start off by explaining why cyber security is important and what the potential risks are. If customer or employee data is lost or stolen, this could badly affect individuals involved, as well as severely jeopardize the company. If the company systems are infected with malware, this could severely hamper the efficiency of the company.
2. Teach Effective Password Management
Passwords can make or break a company’s cyber security system. Include guidelines on password requirements (for instance a combination of lower case and upper case letters and numbers), how to store passwords (no post-its on your monitor!), how to share passwords (share in person or use the phone instead of email), and how often to update passwords. Also, warn employees not to use the same passwords on different sites.
3. Detect Phishing and Other Scams
Describe the different kinds of phishing emails and scams employees can be presented with and how to spot something ‘fishy’. If employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they must check with the sender first before opening attachments. When in doubt, go to the company website instead of clicking on a link in an email. Scams can also be perpetrated over the phone, so warn employees about people calling and asking for confidential company information.
4. Apply Updates and Patches
Inform employees to update anti-malware programs, web browsers and other programs regularly and do full malware scans at least once a week.
5. Protect Sensitive Information
Attackers are often after confidential data, such as credit card data, customer names, email addresses, and social security numbers. When sending this information outside of the organization, it is important that employees understand they cannot just send the information through email. A secure file transfer system must be used that encrypts the information and only allows the authorized recipient to access it.
6. Lock Computers and Devices
When employees leave their desks, they must lock their screens or log out to prevent any unauthorized access. Laptops must also be physically locked when not in use.
7. Secure Portable Media
When using portable devices such as mobile phones and laptops, passwords must be set to limit access. When bringing in portable media such as USB drives and DVDs, it is important to scan these for malware when connecting to the network.
8. Report Lost or Stolen Devices
Advise employees that stolen devices can be an entry point for attackers to gain access to confidential data and that employees must immediately report lost or stolen devices. Often the IT department can remotely wipe devices so early discovery can make all the difference.
9. Take Active Role
Explain that employees must use common sense and take an active role in security. If they see suspicious activity, they must report it to their IT administrator. If employees become aware of an error, even after it has happened, reporting it to IT means something can still be done to minimize the damage. Cyber security is a matter that concerns everyone in the company, and each employee needs to take an active role in contributing to the company’s security.
10. Apply Privacy Settings
Inform employees that it is highly recommended to apply maximum privacy settings on their social media accounts such as Facebook, Twitter and Google+. Ask them to make sure that only their contacts can see their personal information such as birth date, location, etc. By limiting the amount of personal information that is available online, the vulnerability to spear phishing attacks as well as identity theft can be reduced.
The cyber security policy should be included as part of the employment agreement, and regular cyber security training should be scheduled to make sure that employees understand the guidelines. A fun way to make sure that employees understand the policy is to have a quiz that will ‘test’ their actions in example situations.
By Deborah Galea
Deborah Galea heads product marketing for the Metascan and Metadefender product suite, and is dedicated to identifying solutions to help companies of all sizes ensure a secure data workflow. Prior to joining OPSWAT, she was co-founder and COO of Red Earth Software. Red Earth Software specialized in the development of email management software to help companies ensure proper usage of their corporate email systems.