Too often cybersecurity professionals talk about people being the weakest link in security, but I would much rather look at these individuals, your employees, as your first line of defense rather than the weakest link. That is because they are your first line of defense in the cyberwar waged against us.
You may think I’m being melodramatic when I use the term cyberwar, but this is exactly where we are. Our biggest adversaries are foreign governments who use their immense resources to gain access to our personal information and our intellectual property in order to gain advancements and a competitive edge over our country, our companies and our technologies. This is happening every day and China is leading this war against us while we do very little to respond.
You may think that you can’t do much against the Chinese Communist Party, but that is where you need to think differently, there is a lot you can do and it will take you and many more organizations being armed and ready to take action. We are mistaken if we have the attitude that someone else will take care of the problem. That is because we are not fighting this war on the traditional battlefield, the fighters are not the military, they are you and me and we all have a part to play.
For your organization, the defenders in this war are you and your employees, the people sitting in front of a computer all day or connecting a device to your network. They are your first line of defense, but they have not been weaponized, as in, they don’t know how important their role is in this fight; actually they don’t even know the fight exists.
Here is a checklist you can use to help ensure you have your bases covered in arming your employees in this war and protecting your organization and our countries assets.
- Provide security awareness training that connects the user to their responsibility for security – teach them how to behave, what to do, what not to do, and how to respond then reinforce the training on a regular basis. Make sure they understand their role and how important it is. The more interactive and real the training the more they will connect with it and remember what they have learned.
- Do not allow users to have administrative rights to their computers, talk to your IT department about this because this right gives attackers more access and a much better chance of installing malicious software on your network.
- Do not allow users to disable end-point security like host-based firewalls or anti-virus software and keep the software current and working properly.
- Provide users with clear instructions that are easy to find and follow for how to report suspicious or anomalous activity – make sure they know what it means – test them. Then ensure the response team knows what to do in various situations and test them too. Testing reinforces what people have learned, make it part of the process and not something for them to be afraid of.
- Provide specialized security training for your business leaders and empower them to discuss security with their employees. Engage your security teams or security consultants to help. This is specialized knowledge that you have to teach everyone in your business, you can’t leave it up to the small group of security experts when all your users are your first line of defense.
- Provide users with secure methods for transmitting sensitive data and teach them how to use it. They need to know that email is not secure unless you have given them a secure method for using it.
- Provide users with secure methods for storing sensitive data and make sure they know where those locations are and how to ask for access. Users need to understand that storing sensitive data on their computers or unprotected network file shares opens the risk to losing that data to an attacker.
- Keep the conversation in front of everyone at all times, don’t become complacent or allow your people to become complacent. This is on-going and ever changing topic and so must be the conversation.
When I said test them there are many ways you can do this. You can use products that simulate phishing attacks that users will learn from if they click on the email. You can use a penetration test to simulate an attack and test your response capabilities. You can use consultants who can perform social engineering tests to see if users provide sensitive data like passwords or customer information. Testing helps ensure the training you provide is working. It is not to punish those who don’t respond correctly. The only way to know where you stand and correct behavior is through testing, training, and re-testing.
What I like about all of this is that not only are you protecting your organization, but you are empowering your employees to go home and protect their home computers through what they have learned. They can teach their friends and families what to look for. Our attackers are not just after our organizations they are after anyone who can give them the edge they are looking for and that includes you, your children, your parents, and your friends. The more you can teach your employees and the more other leaders do the same, the more we are arming our people at home and at work to be our best line of defense.
This is a high-level list that will help you get the conversation started with your IT, security, and executive team. If you want to dive deeper email email@example.com and we can discuss your individual situation. For more articles on this topic visit my C-Suite Advisors Page.