Mohammed Basheer, IT Security Practice Head at ISYX Technologies shares his views on how organizations can reduce the attack surfaces by implementing an effective organisation wide security awareness program.
The Petya ransomware attack that hit computers around the world recently, the second in two months, is yet another reminder that computers play key roles in most enterprises, and that it does not take much to disable those computers. Irrespective of how robust your information security systems are, users are still the weakest link in your company’s cybersecurity.
It’s a business cliché that staff are a company’s greatest asset and potentially its greatest risk. And while that has always been true in the area of customer relations, it’s now equally applicable to data security. Users are the first line of defence against cyber-attack, and also – potentially – a business’s most glaring vulnerability. People are just a very large attack surface but organizations can reduce the attack surfaces by implementing an effective organisation wide security awareness program.
Untrained employees are the linchpins for most data breaches. Those who attack businesses have no wish to spend a lot of time and money defeating its technology. Instead they would prefer to infect the user with ransomware, their favourite bait – “spray & pray” phishing attacks, which involves spamming with email that carries malicious content.
It has become increasingly important to embed ICT security awareness at all levels of an organisation. While awareness is the key, there also needs to be a balance struck. Employees need to know the risk their online activities pose and how to manage it, without being rendered unproductive by overly complex procedures.
Computer security training isn’t just a matter of giving employees information. Knowing best practices and organization policy is important, but it helps only if employees understand that they make a difference and should feel they are part of the organizations information security. The truth is that user ignorance to security make most malware attacks possible, and that employees who are aware can avoid most of the attacks.
Information Security Awareness should be part of an organization culture, business leaders need to make sure their awareness programs cover all the important aspects of cybersecurity which ensure that their employees are well trained to tackle the current security threats. At the end of an education and awareness initiative, all users should be able to understand:
- How to identify security threats?
The user should be able to identify the difference between normal emails and malicious email. They should understand best practice in internet usage and understand the organizations security policies.
- Response to the security incidents
The user must be aware of the security incident response procedure. Should they suspect a security incident in progress, they should be able to follow the security incident management procedure to curtail the incident from spreading across the organization.
As they say people are the weakest link in the information security chain, hence employee involvement is crucial for the success of an organization’s security strategy. There is often a disconnect between what employees know they should do security-wise and what they actually do in practice. Organizations which continue to implement and reinforce effective awareness programs, have seen reduced number of security incidents, in turn maintaining better uptimes for the IT environment supporting the business processes, helping the organizations to upkeep their reputation resulting in better financial rewards.