It’s vital for organisations to create a culture of security – one that incorporates education, training, and a layered approach to defence.
Despite the global drive to make people more aware of cybersecurity issues, headline-grabbing incidents continue to occur. This points to a lack of commitment from companies around educating their employees on the many dangers out there, most specifically around emails, spam, and scams.
While it is true that many organisations do facilitate training and awareness campaigns, many still do not. This is despite the many innocuous ways that security can be inadvertently breached by employees, such as accidentally copying the wrong people in a confidential mail.
According to Hilton Ashford, a security consultant at BUI, security becomes even trickier in tough economic times like those at present. He explains that most people are desperate for business, meaning they may ignore certain alarm bells that would otherwise raise flags. In such a situation, we find common sense often falls by the wayside, even though it is common sense not to trust anyone or any communication from them unless you are certain as to who they are.
“There are many ways companies can inculcate a stronger security culture in an organisation, starting with education around the many ways cybercriminals try to manipulate you into clicking on links. Social engineering is another method, where targeted phishing campaigns are used on employees to see if they can be manipulated into giving up confidential information,” he says.
‘Training has to be continuous’
“What is important is to bear in mind that training and education around this subject has to be continuous. Remember that the bad guys are becoming cleverer all the time, and are consistently making their emails and their approaches more realistic. Thus, ongoing education around this is absolutely vital.”
Ashford uses a simple example to explain why employees should always be suspicious of emails from people they don’t know: “If you think about it, you wouldn’t let some stranger in the street take a photo of your ID book, would you, as such an incident would appear suspicious. So why would you more easily believe someone online who you have never seen or met?”
He adds that while the responsibility for security ultimately falls on the individual, enterprises also have an obligation to protect users at the most basic levels. This means implementing spam-filtering solutions and intelligent scanning engines to help search out malicious content.
The problem, continues Ashford, is that many businesses fail to invest enough in their cybersecurity defences until they suffer an incident, by which time it is too late. Furthermore, security is often an additional job given to system administrators, and anyone trying to juggle multiple roles is bound to make mistakes.
Reduce the ‘noise’ around cybersecurity
“This is why we feel it is always better to utilise an expert third party to keep an eye on your systems, analyse the numbers and reduce the ‘noise’ around cybersecurity. The right partner can supplement this with a security operations centre (SOC) that is just another part of the toolkit, supplementing the training and education.”
“When it comes to security, a successful defence will be one which is layered. In other words, just as in the Dark Ages, where a castle was protected by a moat, a drawbridge, a portcullis and large pots of boiling oil, so today’s organisation needs – among other things – firewalls, anti-virus, strong education and training and access to a SOC.”
The most critical reason for bringing in a third party security company, suggests Ashford, is because it prevents the situation where the business is essentially “marking its own homework”.
“By handing your security to third party, there are always neutral eyes on the situation, ensuring that the business gains a different perspective on their issues, while also obtaining additional threat intelligence to enrich that perspective. At the end of the day, it is crucial to know your risk exposure, to understand your security and threat landscape and to ensure the continuous education of your staff. Having a third-party security provider on the case is probably the most effective way to achieve this,” he concludes.
This article was originally published on ITWeb.