From the Boardroom to the Breakroom: Cyber Security in the Workplace
October 11, 2017
Key steps to cyber security in the workplace include establishing and maintaining a “security culture” in which company networks and the data they hold are protected from internal and external risk. Top-tier executives must show a commitment to the process by encouraging responsible use of company IT systems, meaningful participation in cyber security awareness and training programs, and protection from current cyber threats.
Computer use policies should clearly define acceptable and unacceptable ways employees should access and utilize company networks. Examples of important components to consider in your use policy include:
- Create guidelines for employee use that clearly details consequences for misuse or abuse.
- Develop technology protocol to cover company-owned networks as well as e-mail, internet usage and bring-your-own-device (BYOD) restrictions.
- Limit access to networks, computers and files to only those with a legitimate need and authorization.
- Establish appropriate restrictions of personal use for email, banking, shopping, etc.
- Deny access to inappropriate or offensive material in accordance with company guidelines.
- Restrict downloads to avoid malicious file transfer or violation of license agreements.
- Prohibit executing damaging code and security assessment tools without authorization.
- Comply with other company policies and all federal, state and local laws, including those pertaining to licenses, copyrights and the protection of intellectual property.
- Address restrictions related to political activities and personal economic gain.
- Disclose company monitoring of routine use patterns, network traffic and connected devices to detect anomalies and potential breaches.
Cyber security awareness and training programs should be interactive, interesting and be a vehicle to convey current security threats. To do this:
- Obtain C-level support to the program in terms of security culture and financial resources.
- Measure program impact with metrics and through the use of phishing simulation tools.
- Include mutual interests of company-wide departments or units.
- Go beyond simple “check-the-box” compliance to ensure topics relevant to your company’s risks are covered.
- Provide relevant examples of latest attacks and keep pace with cyber criminals’ methods and tactics.
- Emphasize positive control of data and devices, by including risks associated with BYOD, unsecure Wi-Fi hotspots and cloud storage.
- Quantify the risk of insider threats and provide incentives to alert authorities of suspicious behaviors or practices.
- Require strong passwords and use multi-factor authentication for access to networks and sensitive data storage.
- Demand immediate deployment of critical updates to security and operating systems software and establish guidelines for timely, routine updates.
- Provide incentives for appropriate incident reporting procedures; ensure consequences of infractions are measured and appropriate.
Cyber threats continuously evolve, and it’s important to maintain vigilance to protect employees, company intellectual property, and information about your business and customers. Know the current trends:
- Social engineering tactics change and can occur in-person (tailgating, pretexting), over the phone (vishing), through text messaging (smishing) and via email (phishing).
- Organized cybercrime syndicates target data, financial assets and system availability.
- Ransomware, primarily delivered by phishing campaigns or malicious downloads, targets data and intellectual property requiring payment for decryption keys.
- Phishing campaigns to gain access to systems and data are becoming more complex and harder to recognize.
- Business email compromise/CEO fraud or spoofed email from company executives are designed to facilitate fraudulent transfer of money to a third party.
To help safeguard company technology assets, following is a recommended protocol:
- Set up secure remote access using virtual private networks (VPNs). Encrypt in-transit communications as well as data stored locally or with cloud services.
- Know the dangers of unsecure or unintended Wi-Fi access which can put communications, data and operating systems under control of cyber criminals.
- Segment sensitive data from internet-facing networks.
- Monitor network traffic with a keen eye on any anomalies.
- Protect physical access to critical systems and sensitive data; make physical security part of your IT protection plan.
Cyber security in the workplace is a dynamic requirement for today’s business environment. Successful security programs start with a solid foundation consisting of an enforceable computer use policy, and robust training and awareness programs. Security teams must keep cyber security measures up to date to reflect current threats and risks to business assets. Most importantly, to achieve positive outcomes, security programs need firm commitment from all levels of the organization—from the boardroom to the breakroom.