Cybersecurity Awareness Month – Week 2

By October 13, 2017 Cybersecurity

Let the Cybersecurity Celebration Continue!!!

October is National Cybersecurity Awareness Month and the second week focuses on cybersecurity in the workplace.  At one time, it was thought that cybersecurity was solely the responsibility of the IT department.  This is simply not the case anymore as everyone needs to be involved in building and supporting a culture of cybersecurity in the workplace.  

What should you be doing? We will break down some key things to focus on at each level.

Employee Level:

Consider yourself the on the front line of the cybersecurity battlefield.  Many attacks are successful due to thinking that IT has everything covered and whatever anti-virus software installed on your machine will deflect any attack.  This simply isn’t the case.  So what can you do?  

Think about cybersecurity as you would securing your home.  Do you lock the door when you leave the house?  Then lock your computer when you leave your desk.  Do you let just any stranger just wander into your house without knowing who they are?  Then treat emailed links, attachments and other software the same way.  Are you suspicious of strange behavior from someone wandering around the block?  Then be just as suspicious of odd emails or phone calls received which may actually be a part of a probing phishing attack.  You don’t have to have detailed technical knowledge to be effective with cybersecurity best practices.

Manager Level:

In addition to following the basic principles of cybersecurity which every employee should, managers need to provide oversight to make sure everyone else is as well.  Are you making sure that your staff is aware of company policies?  Are you taking the time to participate in cybersecurity education so that you may pass along relevant information to your staff?  Consider making games or promotions out of best practices to promote a positive culture of cybersecurity as opposed to using threats and fear tactics.

IT Level:

The unsung heroes of the cybersecurity war.  When everything is working well, no one cares or notices.  If something goes wrong, however, look out.  The technology response to cybersecurity threats is ever evolving and it is the IT department’s job to assess and implement the best solutions to fit the needs of the company and the environment they are working with.  Yes, traditional boundary protection is still needed and anti-virus/malware tools are not going anywhere, but you must also need to make sure you are following best practices to ensure data security.

If we have learned anything in recent data breaches, it is that we cannot make it so easy for attackers to access information even if they do manage to pierce initial defenses.  Data encryption and segregation methods should be standard practice now.  Default passwords on equipment should never even be a consideration.  Take an active role in cybersecurity.  If you see a practice which should be improved, push for that improvement.  Yes, it often means work, but the alternative could mean you expose critical information for 143 million American citizens.

Executive Level:

More than ever before, executives need to be involved in cybersecurity and the good news is that they are.  What should you be doing?  If you are just having meetings where an IT manager is giving you a status report, you are doing it wrong.  Company policy should come from the top and there is plenty of help to ensure you are going down the right path.  Pick a solid and proven framework and build your cybersecurity plan around it.  We always suggest using a cybersecurity framework from NIST as they have provided the gold standard with their Special Publication 800-53 which covers a comprehensive list of security controls aimed at securing Federal level systems. 

As an executive, you want to actively take a role in understanding the business and the threats that can cause the most harm.  Are you a company that houses a lot of Personally Identifiable Information (PII) or Protected Health Information (PHI)?  If so, data protection may be your highest priority.  Are you an e-commerce company that relies on an always available to customers website?  Then perhaps service disruption should be where you focus your attention.  

At the executive level, you should have insight into the entirety of the business which should allow for effective assessment and communication of priority.  Additionally, do your best to really learn about how everything works at a high level.  You don’t need to know how to program a computer to understand the basics of how cyber attacks work and what you can do to stop them.

Everyone:

Cybersecurity is a team effort now.  Everyone needs to be involved and everyone needs to play their part.  It may be scary and daunting but good practices are actually not that difficult and make for a much more secure work environment.

 

Dave Bock

Author Dave Bock

More posts by Dave Bock