IT security is rarely out of the mainstream media these days. Putting a few key items on your management team agenda will greatly help put focus where it is needed, and help keep your data and users safe.
Many companies we have taken on board had unfortunately previously adopted the attitude that, because they have not been compromised or that their security has not been obviously breached, that they are doing okay and don't really need to make a big deal out of IT security. It takes quite a while to point out to them that maybe they haven't been compromised yet, but that on a long enough time-line most companies that don’t pay attention to IT security issues or that don't have policies, engage in user training or promote awareness of IT security issues eventually succumb to an unfortunate incident. A simple scan of the current press shows that the incidence of cyber-attacks is on the rise and they are growing more and more sophisticated, and successful, every day.
Is implementing IT security awareness difficult?
Instilling a security-aware culture within your organisation need not be difficult or generate undue stresses or tensions. Simple and practical user training and ongoing management awareness of the threats facing organisations like yours, and how they can be mitigated against, will go a long way towards keeping you, your systems and your data safe.
Companies who come from the standpoint of having little or no security thinking or rigour can only benefit from any work done in this area. Through a few simple and well thought out initiatives any organisation can greatly reduce the probability of embarrassment, disruption and potential liability that will come from an attack or a breach which at its worst could reveal, or lose, staff or client data.
When do we start instilling IT security awareness?
Start as soon as you can. If you’ve never really made IT security a topic for discussion within your team, start today and make it a regular talking point.
The security culture also needs to be installed at the very beginning of an employee’s journey with your company, making it a core part of any new staff induction checklist. It can be promoted to existing staff via training, regular updates at team meetings and by carrying out audits and making IT security part of their working responsibilities.
Finally, awareness is copper-fastened in any organisation by the approach and attitude taken by senior management and the example that they set.
Monitoring cyber threats
It should be at least one person’s responsibility to be aware of current and emerging IT threats. There are a number of excellent online resources to help keep you up to date. The trick is to be able to sort the relevant issues from the constant background noise – there is a never-ending stream of threats, vulnerabilities and issues that emerge in the world of IT however the most important thing is to be able to identify the most serious, or most relevant, threats to your organisation.
Once threats and issues are being monitored the next step is ensure that these are communicated to the people within the organisation with the authority and capability to put in place whatever remedy is required.
Having a well-trained IT team, or a vigilant IT support partner, is invaluable here. The right people doing a good job will proactively head-off problems before they manifest within you organisation, rather than reactively address problems after they have occurred – at a potentially catastrophic cost.
The National Cyber Security Centre is an excellent online resource which gives weekly threat reports:
Training and staff awareness
There are a number of excellent training courses available which educate your staff as to the number and type of threats and security issues affecting companies today, often at modest cost. You should very much consider these a sound investment.
Being conscious of social engineering, and ensuring that awareness of this threat is promoted throughout your organisation, can help defend against the hackers main tool - gullibility. Social Engineering is where someone attempts to gain sensitive information, usually to enable them to gain further access to your systems and data or to use to gain trust with others in your organisation to further their aims, through deceit and manipulation.
Your users need to be aware and mandated such that if someone calls or emails asking for sensitive information that they can defer the request until they can verify it. If they feel that the culture is such that they need to respond to all requests and orders straight away, even if they are unsure of the veracity, then it’s only a matter of when, not if, something goes very wrong.
They should also feel comfortable in reporting slip-ups as the sooner action is taken following a mistake the sooner remedial action can be taken, and often breaches can be time-sensitive. If key credentials can be changed as soon as someone informs that they believe they have been duped then the window for exploitation diminishes. If staff feel that they will be shouted at, or worse, for a simple slip up then they may be tempted to not act upon the realisation that they have potentially given a hacker the ammunition they need for furthering an attack on your business.
Have an IT Policy
Setting out clear guidelines and rules for conduct as regards use of IT resources and protection of company data removes any excuses or doubt when it comes to enforcing the organisation’s policies for what is an acceptable use of the businesses equipment, email facilities, internet connection, data and intellectual property.
Make sure that the policy is clearly communicated, understood and explicitly agreed to. Giving new employees a printed copy of the policy in the back of their welcome pack and never referring to it again is a recipe for disaster. It should be made clear from the outset what the IT policies are, and that they are a non-negotiable part of their expected behaviour and conduct within the organisation.
Ensure your policy is reviewed and updated regularly to ensure it meets current threats and issues, and take every opportunity to update your staff when these changes occur to ensure that they remain current - and aware of the fact that there is a policy at all.
The threat landscape is constantly evolving with each subsequent wave of malicious activity becoming more sophisticated and refined. However one thing has not changed, that having a sound awareness of the fundamental principles of how to keep yourself safe in the on-line world and having a simple, practical and clearly communicated policy is just as essential a defence as all of the latest software and hardware gadgets that money can buy. Make sure you remain up to date with current threats and that you work with your technical team, whether in-house or outsourced, to ensure that both your technical and non-technical aspects of IT security remain up to date. and equally as importantly are aligned with one another.