Skip to main content

From the Boardroom to the Breakroom: Cybersecurity in the Workplace

October 11, 2017

Key steps to cybersecurity in the workplace include establishing and maintaining a “security culture” in which company networks and the data they hold are protected from internal and external risk. Top-tier executives must show a commitment to the process by encouraging responsible use of company IT systems, meaningful participation in cybersecurity awareness and training programs, and protection from current cyber threats.

Boardroom to Breakroom

Computer use policies should clearly define acceptable and unacceptable ways employees should access and utilize company networks. Examples of important components to consider in your use policy include:

  • Create guidelines for employee use that clearly details consequences for misuse or abuse.
  • Develop technology protocol to cover company-owned networks as well as e-mail, internet usage and bring-your-own-device (BYOD) restrictions.
  • Limit access to networks, computers and files to only those with a legitimate need and authorization.
  • Establish appropriate restrictions of personal use for email, banking, shopping, etc.
  • Deny access to inappropriate or offensive material in accordance with company guidelines.
  • Restrict downloads to avoid malicious file transfer or violation of license agreements.
  • Prohibit executing damaging code and security assessment tools without authorization.
  • Comply with other company policies and all federal, state and local laws, including those pertaining to licenses, copyrights and the protection of intellectual property.
  • Address restrictions related to political activities and personal economic gain.
  • Disclose company monitoring of routine use patterns, network traffic and connected devices to detect anomalies and potential breaches. 

Cybersecurity awareness and training programs should be interactive, interesting and be a vehicle to convey current security threats. To do this: 

  • Obtain C-level support to the program in terms of security culture and financial resources.
  • Measure program impact with metrics and through the use of phishing simulation tools.
  • Include mutual interests of company-wide departments or units.
  • Go beyond simple “check-the-box” compliance to ensure topics relevant to your company’s risks are covered.
  • Provide relevant examples of latest attacks and keep pace with cyber criminals’ methods and tactics.
  • Emphasize positive control of data and devices, by including risks associated with BYOD, unsecure Wi-Fi hotspots and cloud storage.
  • Quantify the risk of insider threats and provide incentives to alert authorities of suspicious behaviors or practices.
  • Require strong passwords and use multi-factor authentication for access to networks and sensitive data storage.
  • Demand immediate deployment of critical updates to security and operating systems software and establish guidelines for timely, routine updates.
  • Provide incentives for appropriate incident reporting procedures; ensure consequences of infractions are measured and appropriate.

Cyber threats continuously evolve, and it’s important to maintain vigilance to protect employees, company intellectual property, and information about your business and customers. Know the current trends:

  • Social engineering tactics change and can occur in-person (tailgating, pretexting), over the phone (vishing), through text messaging (smishing) and via email (phishing).
  • Organized cybercrime syndicates target data, financial assets and system availability.  
  • Ransomware, primarily delivered by phishing campaigns or malicious downloads, targets data and intellectual property requiring payment for decryption keys.
  • Phishing campaigns to gain access to systems and data are becoming more complex and harder to recognize.
  • Business email compromise/CEO fraud or spoofed email from company executives are designed to facilitate fraudulent transfer of money to a third party.

To help safeguard company technology assets, following is a recommended protocol:

  • Set up secure remote access using virtual private networks (VPNs). Encrypt in-transit communications as well as data stored locally or with cloud services. 
  • Know the dangers of unsecure or unintended Wi-Fi access which can put communications, data and operating systems under control of cyber criminals.
  • Segment sensitive data from internet-facing networks.
  • Monitor network traffic with a keen eye on any anomalies.
  • Protect physical access to critical systems and sensitive data; make physical security part of your IT protection plan.

Cybersecurity in the workplace is a dynamic requirement for today’s business environment. Successful security programs start with a solid foundation consisting of an enforceable computer use policy, and robust training and awareness programs. Security teams must keep cybersecurity measures up to date to reflect current threats and risks to business assets. Most importantly, to achieve positive outcomes, security programs need firm commitment from all levels of the organization—from the boardroom to the breakroom.

Related Blogs

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 23, 2017

Cybersecurity Careers

2017 has been a very busy year for cybersecurity professionals. It seems weekly, if not daily, news breaks of a new data breach or intrusion of critic...

See Details

August 31, 2017

Professional Security Training

Learn how Optiv can help address cyber security resource gaps with a streamlined methodology for hiring and training.

See Details

September 13, 2018

Skills Gap – Hiring When There’s No People

While part of the solution to a robust and complete security program is security automation and orchestration (SAO), do not forget that hackers are hu...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.