Machines are logical and predictable. Humans are irrational and inconsistent. Whether it be your employees, contractors, suppliers, customers, or prospects, your company security culture needs to include all of your stakeholders. After all, a chain is only as strong as its weakest link.
With this in mind, here are 10 points to consider when thinking about your company’s cyber-security hygiene:
1. IT security is often seen as a negative function, which can make employees’ lives more difficult and limit the amount of control they have over their own equipment. This mentality often leads to employees actively looking for ways to bypass security measures that are in pace.
2. Employees want to try a new productivity or work-related tool, so they should be able to get helpful advice and guidance from IT. Colleagues in IT should want employees to ask them questions and recommendations as that's how you can engage and educate them.
3. Staff should understand that protecting their home IT is just as important as protecting work IT in order to mitigate the risks of contagion via BYOD practices.
4. Informative posters should be displayed where appropriate and more formal training should be provided in order to teach staff how to protect themselves.
5. Social media platforms are used for both personal and business means; the line is blurred. This cross-over between personal and business can be unhealthy, and a divide needs to be created and maintained.
6. Acceptable use policies are a must to protect both the user and the company. Security knowledge should not be considered common sense, each department has their own items to learn. Creating an educational environment is just as important as incorporating a culture.
7. If you tell employees, they will forget. Show them how something works and they will remember. Involve them and they will understand. Take apart a phishing email and show them why it's dangerous. Just telling them that phishing emails are bad does not equip them sufficiently to identify or understand the risks involved. Running phishing assessments with instant feedback is a way of involving employees and teaching them. Cisco does this very well.
8. To capture someone's attention, you need to do it in six seconds according to a new study by comScore (2017). By using the AIDA (Attention, Interest, Desire, Action) psychology model can influence a positive change in employees. A change in attitude will change their behaviour which will change their actions.
9. Don’t presume to dictate to employees. They know their job better than you. Open discussions and learning groups will engage them and better yet, may reveal anomalous events or behaviour previously unknown to the organisation.
10. A passphrase is a great password. A mixture of uppercase, lowercase, numbers and special characters will provide a strong but forgettable password. A memorable password is a passphrase that is engaging and connects on an emotional level. “Unhappy rabbit black jack” is a strong passphrase that is 25 characters long. The complexity of this passphrase can be increased by replacing vowels with numbers and by adding special characters. “Unhappy rabbit black jack” turns into “Unh4ppy r4bb1t bl4ck j4ck!”, a passphrase that is both highly remembered and complex enough to meet typical password requirements.
In summary, the human firewall needs to be understood in order for security measure to be effective. Utilisation of your most important asset in the fight against cyber-attacks (people, not technology, just in case you still haven’t gotten our point) is the best defence for your company; you just need to figure out how to turn it on.