Problem: My IT team briefs me regularly on steps they are taking to secure my organization; however, I’m concerned I’m not doing enough to educate my non-technical employees on cybersecurity risks and their part in keeping our organization safe. Is cybersecurity more than a technical issue?
It’s tempting to leave cybersecurity management to the IT team to protect your organization. Unfortunately, if the focus for cybersecurity is solely in the hands of your IT department, you are missing the single largest risk: your non-technical employees. So much effort has been spent on the technical aspects of cyber that very little has been done to educate non-technical team members on their role in preventing cybersecurity issues.
According to the 2017 State of Cyber report, of the small businesses that reported suffering a data breach in 2017, 54 percent were caused by a negligent employee or contractor. “Negligent” could easily be replaced with “ignorant.” It’s not that employees don’t care or are malicious, it’s that they have not been educated about their role in comprehensive cybersecurity.
What sort of cultural environment has your organization created around cybersecurity? Ask yourself: What effort has my training team put in to educate every person at every level of the organization about those things they could do to protect themselves, and the organization, from cyber concerns? Have I worked to create a cooperative culture between my IT group and my non-technical employees for cyber-related issues? Have I merely instituted heavy-handed policies of strict passwords and access controls in the hope that those rules would protect us from a breach?
Often when the topic of training on cybersecurity is raised, the discussion centers on training on software and hardware the IT team utilizes to protect the organization, which is important. But the most effective intrusion detection system and high-priced firewall can’t protect you from an employee who finds a USB stick in the parking lot and plugs it into a work PC. Or the employee who clicks on a link in a well-designed phishing email sent to them from your email account. Your employee in either case likely didn’t understand they had done anything wrong as they were not informed by IT of the risks posed by such threats.
I’m guessing at this point you are thinking, “That all sounds great, but what can I do about it?” Luckily, some immediate things can be done that can drastically reduce chances of your organization being an easy attack vector for hackers. Although volumes have been written on this topic, let’s focus on three actions you can take right now that are the most critical:
• Training: Begin by reviewing the training program you have for your non-technical employees and ensure that you are covering their important role in cybersecurity. Also make sure training addresses the risks they should be aware of and their role in protecting the organization.
• Technical: Establish an appropriate password policy. If your organization is still adhering to the older password standards (capitalization, special characters, etc.), then your policies may actually be putting your company at risk. The National Institute of Standards and Technologies’ latest recommendations actually do NOT recommend using special characters and capitalization. They recommend that better passwords are those that are longer and easily memorized, such as passphrases. In fact, many current cyber experts recommend the use of a password manager to provide additional levels of security and convenience.
• Cultural: Ensure a culture of collaboration between IT and non-technical personnel. While this may seem like a no-brainer, it is actually quite challenging. The culture should be one of actual collaboration, with everyone sharing potential risks they’ve discovered, and broadly communicating solutions and preventative measures throughout the organization.
You want to develop a culture in which every member of your team, regardless of position or experience, feels personally responsible for the electronic hygiene of your organization.
Bob Cook, MBA, an instructor of Information Systems at the UCCS College of Business, also is an information systems consultant helping businesses on cybersecurity best practices and ensuring information systems align with organizational needs. Prior to his academic career, he was an executive with several firms. Contact: OPED@uccs.edu