Update Feb 7 2018: I published a modified version of this post on the DelCor Connection Blog
If you’re responsible for running a network, you probably have the following in place:
- A properly-configured firewall (including software firewall for your mobile users)
- Intrusion detection/prevention system
- Centrally-managed antimalware software
- Centrally-managed OS and third-party patching
- Rock-solid backups for all mission critical servers, files, databases
- Idiot-proof disaster recovery and incident response SOPs
- Network monitoring and analysis tools
If you don’t have those things, go do those things, and then come back. If you do, great, your network is invincible… Or it would be, if it weren’t for those darn users! Even the best spam filters can let those CEO fraud messages slip through, and if you give your users Internet access they will inevitably download something they shouldn’t.
Encourage your users to own security
I hear IT people say things like, “my users are so stupid.” Or, “I can’t believe they didn’t know better.” Here’s the thing: you need to encourage ownership of technology at all levels – even your nontechnical staff. And you can’t do that without training, training, training. Security is everybody’s responsibility, and the IT department’s job is to provide the tools.
You can’t say your users are “stupid” if you just throw them in to the deep end without swimming lessons. Checking email headers is second nature to you because you live and breathe email. Noticing that the website you’re on isn’t encrypting traffic is obvious to you because you’ve spent years paying attention to that stuff (and you’re probably using a browser that alerts you about that, and you have HTTPS Everywhere installed, etc etc. (and then act surprised that your users run IE 11 even though you gave it to them)). Other departments specialize in other things, but they still need to own their part in keeping corporate data secure. It’s your job to give them the tools to do that: antivirus, patching, backups, and also training.
Get buy-in from leadership
If the C suite believes that only IT is responsible for security, this won’t get far. You need the CEO, COO, etc. to tell staff: this is everyone’s job. A serious data breach can be anything from a bad PR day to a business-ending event. If leadership can’t get behind you, nobody will follow training, and you’ll get chewed out the next time someone cryptolocks their laptop.
This also means you need to enforce security standards evenly. Everyone takes the training. Nobody gets a pass on the password complexity requirements. Everyone needs to put a PIN on their smartphone. Nobody gets to log in as admin just because it’s easier (I’m talking about the execs, but yes, I’m talking about you, too: network admins who log in as domain admin all day).
Cybersecurity training tools
There are many services out there. I’ve been very satisfied with KnowBe4 which is low cost and highly automated. Other clients of mine have used CompTIA’s CyberSecure. Webroot and ESET have solutions as well. Whatever you pick, make sure the content is easily digestable by staff, and that you have a way to track who is taking it. Follow it up with in-person training from you, and encourage conversation among staff. If a user asks a question that you think is “stupid”, don’t make them feel stupid. It’s good that they’re asking. If a user correctly identifies a phishing email, give them kudos!
By the way… All this training and technology ownership business goes beyond security… That’s a topic for another day.
Photo by Startup Stock Photos from Pexels