Happy Monday morning everybody! Hope it’s a great day to start the week off, and of course, have great day as well! It’s awfully steamy here in Ch-Town, but the temperatures are expected to cool down by tomorrow. Today, we are not going to talk about any technical issues with Cyber attacks or anything like, but rather, we are going to focus upon the human element.
As I have mentioned in the past, in order to have great levels of Security, it takes the right balance of both technology and human awareness as to what is going on around them. What do I mean by human awareness?
Well, there are many aspects to this. If you take the example of a business or a corporation, let’s start with the business owner first (for sake of our example, let us assume that it is a small business). He or she will of course will have to have the motivation to maintain a proactive mindset so that it will transcend down to the employees.
This means being educated by the Cyber threat landscape, and if need be, even engaging with a Cyber security firm to assist in this regard. Then there is the IT staff. The business owner needs to give these mission critical people the tools that they need in order to keep with the Cyber threat landscape on a daily basis.
This means being educated as much as possible on a daily basis (well, this may be a lot, but let’s just say on a reasonable enough time frame) on the threats that are actually happening out there, and having the right technologies on hand in order to combat any Cyber threats that actually come their way. Then there are the employees.
They need to be aware on a daily basis of the Security environment by noticing any sort of odd human behavior (this could have potential to indicate possible an Insider Attack), and especially being completely aware of any suspicious E-Mails that they could receive.
They also need to have the ability to report these anomalies directly to the IT Security Officer, and perhaps even the business owner.
But, the only way that the employees are going to be aware of what is happening is by having continual Security training (at least on a quarterly basis), which is the primary responsibilities of the business owner and the IT Staff. Now, keep in mind that this all ideal in theory. But what about the reality of things? Well, things there are quite a different story.
A Cyber security firm, know as “OpenVPN” recently conducted a survey (in which 500 employees were polled), and found some disturbing results:
*25% of them reuse the same password for everything;
*23% admit to very frequently clicking on links before verifying the authenticity of the website that they intended to visit;
*Only 55% of employees use biometric passwords (despite 77% of them trusting biometric passwords, and 62% believing that they are stronger than traditional alphanumeric based passwords).
According to the CEO of OpenVPN: “Cybersecurity issues won’t go away, and the onus is on employers to teach their employees good cyber habits and protect themselves and business operations from malicious actors . . . Simply telling people to avoid visiting infected websites isn’t enough — more than half (57 percent) of Millennials — the largest group in the workforce now — admit to frequently clicking on links before verifying they lead to a website they were intending to visit.” (SOURCE: https://www.scmagazine.com/despite-advancements-training-and-fears-of-breaches-employees-still-practice-bad-cyber-hygiene-study/article/774026/).
My thoughts on this? In the end, there is only so much that an employer can do. They can invest in the best technologies, keep training their employees, trying to motivate them to be Security proactive, offering incentives for good practicing good Cyber security hygiene, etc.
But in the end, it is the employees themselves that have to be conscience and take the steps that they have been taught in order to protect their work environments. So, maybe it is time to perhaps take some drastic steps in the reverse direction? For instance, instead of awarding employees, why not make one a pure example of practicing bad Cyber security hygiene?
For instance, suppose that Company ABC was it with a Cyber attack, and it was later discovered that the main point of entry for this was a very weak password that an employee had created and kept using. Why not make them pay for part of the financial loss that Company ABC is experiencing as well? Why not take some money out of their paycheck?
True, this does sound harsh, but by doing this, this will send a strong signal to the other employees that they have to be on their best Cyber security behavior if they don’t want money to be taken out of their paychecks.
After all, if Corporate America has to be held to high standards by the various Federal Legislations (with prime example being that of the very harsh financial penalties), shouldn’t employees to some smaller degree be held accountable as well?
But, keep in mind also that this is another very fine balancing act as well. If a business owner is going to make an example out of an employee, then they need to have the absolute, concrete proof, that it was the non malicious actions of this certain employee that led the hole to be established for the Cyber attack to occur.
If not, if a business or corporation is going to take this more drastic route, they themselves don’t want to have lawsuit on their hands of being biased or prejudiced against that employee in any way, shape or form.