OPINION: How to make your staff cyber-smart

Even the strongest, most expensive safe in the world is useless if you don’t keep its combination a secret. The same is true for data protection. If your company has state-of-the-art encryption technology, it’s unlikely to be effective unless your employees are security-wise.

Mark Knight is director of product management at Thales e-Security

Employees must make daily tradeoffs between security and productivity, which means regular security training is necessary for safeguarding company and customer data. Common sense alone is not an answer. For example, should an employee connect an encrypted USB stick to print confidential files from a hotel’s business center computer? No, even though the USB is encrypted never trust business center PCs. A hotel PC might be infected with malware that could copy confidential files from the USB stick and distribute them online. Would your employees notice and flag an intercepted SSL (Secure Socket Layer) browser session to a cloud-based business service? In many cases they wouldn’t; users have often become desensitized to security warnings and without regular training may absent mindedly click “Ignore” or “Accept” when a security warning appears.

What precautions should be taken when travelling abroad? When travelling, the risk of Internet connections being intercepted may grow, so always connect to your corporate VPN. When using a cloud-based meeting service, what are the associated risks? Several meeting services offer a publically accessible list of scheduled meetings and meeting room PINs are often used for several meetings. What might a customer or competitor hear or see if they dialed in early? Who may have access to call recordings?

Here are top recommendations for ensuring your employees are security-wise:

1. Build a Culture Of Good Personal Security

Advanced Persistent Threats generally start with hackers focusing on high reward targets such as IT administrators and employees with access to data or applications. Canny attackers can leverage social media to gain background information to identify and attack their victims. For example, by identifying a victim’s social network it becomes much easier to send a convincing phishing email that appears to come from a trusted colleague. Organizations must educate and empower their employees to make sensible decisions regarding how much personal information they expose when sending emails or posting job-related information on social networks.

2. Don’t Mix Security with Productivity

IT departments frequently depend on technical measures like web security products and Acceptable Use Policies to administer good security practices. Avoid mixing security and productivity policies in a generic set of abstract restrictions: staff will be less inclined to bypass technical controls or ignore policies during their lunch break if they grasp the purpose and threats behind the organization’s Acceptable Use Policy.

3. Implement Dual Control

Organizations of all sizes must implement strong dual control for their sensitive operations in order to remain secure. Even with strong cryptography and responsible employees, attackers can target “super users,” an employee with high-level access who represents a single point of vulnerability in the eyes of an attacker. For example, if software-based encryption is used, a systems administrator frequently has access to data encryption keys. If this administrator’s account is compromised by a social engineering attack, then all his organization’s data will be at risk to exposure. Therefore, make sure more than one person must authorize all access to sensitive data or sensitive encryption keys.

4. Classifying Data

Every mobile and portable device today is equipped with fast fiber-optic broadband speeds and large memory capacity. Large amounts of data can leave an organization within seconds. All employees should be encouraged to classify and apply protective markings to sensitive assets to empower them to make good information security judgments. If sensitive data is classified properly, staff will know when it is safe to access a file on a personal tablet and when a document should only be edited on a remote desktop to reduce exposure. With the widespread adoption of bring-your-own-device policies, organizations should consider providing their employees with subsidized security solutions for use at home as part of an enterprise PKI or public key infrastructure that can issue digital certificates and enforce limited trust.

5. Train The Trainers

Last but not least, ensure that all IT staff, PC support, administrators, and others who frequently contact employees are regularly briefed on security. IT staff are fundamental to developing a culture of proactive security through formal training and by demonstrating and cascading good security practice in daily communication with end users.

Effective and future proof security requires a shift in approach that is only achieved when employee training is a priority. The way we configure and use information technology is just as critical as the selection of security products and policies. While the return on investment for security is hard to measure, periodic training as part of a balanced and holistic approach to security will result in greater incremental benefits per dollar spent than security strategies that depend solely on technology and security products.