Creating a culture of cybersecurity at work
It’s an organisation’s worst nightmare. The idea of a data breach is enough to keep IT professionals up at night, working out ways to find faults and patch systems. Businesses spend millions trying to ensure that their systems are secure and a great deal of energy is put into preventing breaches. So imagine walking into your office, switching on your computer, and seeing this:
The above was the message that greeted Sony employees on the morning of November 24, 2014. Perhaps the most menacing message displayed on the screen reads ‘this is just [the] beginning’. The question on everyone’s mind (aside from what these top secrets might be) is how the hackers gained access to this system. To answer it, we must consider the cybercriminal’s best point of entry to a system: the end user.
Users have become the ‘new perimeter’ of the organisation, particularly those who are accessing key systems and data via devices that aren’t comprehensively managed by the business. Cybercriminals know that if they can reach users, they have a chance to convince them to do something that will grant them access to their computers, including their data and profiles. So how do they reach these users? While there are a variety of ways criminals can infiltrate systems, social engineering is the primary way to target end users.
Many hacks begin with a simple phishing scam: A seemingly innocent piece of electronic communication (email, social link) is sent to an end user, which then downloads malicious software (malware) into the system. The hackers are now able to map the network and gain access to scores of information (your customers’ details, credit cards, identity information – you name it).
The hacker will invent or fabricate a scenario; for instance calling you from your bank or doctor’s office and asking you to divulge personal information so your identify can be verified.
Similar to phishing but using real bait, baiting involves leaving malware-laden USB sticks or other portable media outside an office building, tempting passing workers to pick them up and insert them into their computers to see what information they hold. The real Trojan horse of the security world.
What can you do?
Creating a culture of cybersecurity at work means educating your end users. User awareness and education go a long way to minimising risk. If you encourage people to behave in a consistent manner, according to clearly communicated and centrally developed and monitored processes and procedures that cover all the devices in use, you’re not going to avoid attempted attacks taking place, but you’ll certainly make your organisation safer.
You need to do more than simply educate people about the technology; they also need to understand the importance of policies, systems, and processes. You also need to decide how you’ll deal with policy violations. It’s inevitable that, at some point, the rules will either be ignored or unintentionally broken.