Viruses, ransomware, mobile malware, phishing… Cyber-attacks are permanent and organizations are under constant threats from attackers. To face these, IT departments require appropriate resources, expertise and tools. But not only. Employees are the weak link in all organizations due to the vast majority of cyber threats targeting them. Whether a CEO, sales executive, receptionist or legal assistant, bar a few exceptions, none has a desire to harm. Instead, employees lack knowledge about the challenges and consequences of IT security on business assets.
To mitigate this, there is only one solution: raising employee awareness. Examples, guidance and best practices will help turning your employees into a defense against digital risks.
Digital risks within organizations
They are multiple and can take different forms. There is little in common between intercepting telephone communications, viruses embedded in Excel spreadsheet macros, and application threats associated with a security breach. To face these, organizations should assess the situation.
The 3 cases of digital risks in France
A Ponemon Institute study funded by IBM looked at cyber threats on a country-by-country basis. In France, digital risks are distributed as follows:
- Criminal attacks (targeted or opportunistic): In 50% of all cases.
- Human errors: In 31% of all cases.
- Technical problems, hardware or software failures: In 19% of all cases.
Clicking on inappropriate links, failing to update software, scribbling passwords on a post-it note, shadow IT… The causes that can endanger an organization’s information systems are numerous, and users are always involved in the chain of actions preceding an attack. Be it negligence, or lack of interest or time, failing to involve users can have significant consequences. Especially considering threats are not slowing down.
Top 5 current threats
For an IT department, all threats need to be monitored. But to raise employee awareness, it is useless to be exhaustive. Brevity, clarity and demonstration by example will always have more impact.
- Ransomware: An attack encrypting files on a computer or blocking a smartphone, and requiring the payment of a ransom in bitcoins to unlock data. This is the equivalent of taking hostages, but in a digital form, with criminals nearly impossible to identify.
- Massive data theft: Through poorly monitored systems or unsecure passwords, this involves the theft, exploitation and resale of personal data used to finance the illegal activities of cybercriminals.
- Advanced Persistent Threat: These are discreet long-term infiltrations to retrieve documents or confidential data, targeting governments, banks, the media or any strategic organization (defense, research, transport, etc.). This is digital espionage, where users are tracked and monitored using social engineering methods to increase attack effectiveness.
- DoS (Denial of Service) attack: A voluntary overload of server capacity to paralyze shortly or persistently. An attack with potentially significant consequences, especially for online merchants.
- Mobile piracy: Access to personal and confidential data stored on a stolen mobile device or through installation of a malware.
Good practices to raise employee awareness
Understanding threats is essential, but conveying the right message to a non-technical audience using computer tools without knowing what’s behind the scenes is an equally important challenge. A role that is more educational and involves the organization’s management and other departments, such as IT, internal communications and HR.
Implement a tailored and updated policy
The first thing to do is to create a clear set of rules. Searching for a balance between comprehensiveness and efficiency is essential because the more dense and complex the information, the greater the chance these rules will be misunderstood or misapplied. Your internal policy should clarify your position on various topics: social media, use of personal devices, Wi-Fi network, mobile applications, GDPR, etc.
A digital security policy must be scalable. Threats change regularly and require constant updates. Furthermore, this policy should be part of the employee onboarding process and integration of new tools.
Finally, depending on your organization’s culture, it may be helpful to clarify the legal part. This involves securing liability and confidentiality clauses in employment contracts, as well as confidentiality commitments from suppliers, customers, third-party partners, etc.
Educate online and in person
Training is essential to raise employee awareness. This mission may require the involvement of an educational designer, to create custom learning experiences, tailored to your employee’s roles and business areas. Training should be regular, non-technical in most cases, and illustrated with various real life examples.
At the organizational level, blended learning including a mix of online and in person courses is an option that works well. A learning platform may integrate quizzes and assessments of prior knowledge, as well as on-demand video sessions that can be viewed at times best suited for each team according to their constraints.
Involve the organization’s management
The IT department cannot do everything alone. The organization’s management should be associated with employee awareness initiatives. It means not only unlocking appropriate budgets, but also getting involved in a personal capacity. Both message and strategy should come from the top management, and the top management should associate itself with the operational management and all of the teams to host, present and participate in training courses (online or in person).
You perform regular fire drills. Why not do the same with your digital security? These exercises aim to assess the real life behavior of your employees, and are part of a process toward continuous improvement.
For example, the Ministry of Economy and Finance in France sent a phishing email to each of its 145,000 agents to measure the impact of protection and awareness measures. The result: 20% of agents were fooled.
Another exercise is the “President’s scam” in which you try to abuse gullible employees into performing an online purchase or a transfer order. A scam affecting all organizations, including SMBs.
Finally, the last example, which also requires the participation of your IT department: voluntarily leave a USB key in your premises (car park, corridors, meeting rooms, etc.) containing a file named “pay scale.xls”. With a tracking system, you will know who opened the file, and redirect them to an internal security warning.
The more your employees are familiar with using secure devices and tools, the more they will be aware of the risks. This is particularly true for smartphones that are, by definition, in a state of permanent mobility. Securing professional smartphones should therefore include security and encryption solutions to encrypt incoming and outgoing communications (voice, email, SMS and web traffic), protect local data (contacts, files, photos) in case of device loss or theft, and generalize unlocking using strong authentication.
Digital risks are now added to all other risks already managed by companies. Even if your organization is not 100% dependent on an online business, piracy can have serious consequences on payroll, procurement, supply chain, logistics, purchasing, etc. Today’s threats are different from those of yesterday, and those to come will be different as well. We must therefore face these challenges with prudence and professionalism. To achieve this, employee awareness is an absolute requirement.