Around 39% of respondents to a recent business survey conducted by Tech Pro Research said that their company has a formal, regularly updated policy for cybersecurity, typically covering employee training and automatic software updates, and often with the inclusion of new firewall or anti-virus products.
Unfortunately, an equal number of those polled (39%) said that their companies didn’t have a cybersecurity policy, at all. Still others revealed that though their organization had a security policy, it wasn’t updated regularly.
Perhaps most worrying though, was the discovery that 58% of the employers surveyed admitted that their greatest challenge to implementing a cybersecurity strategy was getting their employees to comply with its terms.
Human error, ignorance, and lax practices are often cited by security professionals as a major factor in the occurrence of security breaches, hacks, data losses, and other such incidents. It’s clear that an awareness of best practices for security and a willingness to do what’s necessary to comply with company policy are a must – but how can employee compliance be guaranteed? That’s what we’ll be considering in this article.
Why a Cybersecurity Strategy Is Necessary
Given the huge number of threats facing businesses today in the form of malicious software, organized attacks, spying, infiltration, and sabotage, expecting to be able to respond to a security incident in an unrehearsed and ad hoc manner simply doesn’t make sense.
There has to be a plan. And in the current cyber-threat environment, that plan has to be a comprehensive and good one.
An effective cybersecurity strategy needs to protect corporate data, applications, infrastructure, and personnel, clearly setting out its business objectives, explaining how to use appropriate tools and techniques, and laying down the rules and policies for acceptable and secure practices.
What a Cybersecurity Strategy Should Include
Guidelines for best practices in preparing a cybersecurity strategy stress the importance of considering the following factors:
- Governance and Risk Management: There needs to be a framework in place for decision-making, and the handling of issues such as creating policies, managing the various processes, and establishing relevant controls and checks.
- Risk Assessment: Regular assessments should be made to identify and document assets within and around the enterprise which might pose a threat. Risk and threat levels should be graded and prioritized, with measures taken to amend any factors that can be immediately remedied.
- Technical Controls: These would include security devices and software such as firewalls and anti-malware suites, mechanisms for protecting data, penetration testing, and standards for encryption.
- Planning for Incident Response: Establishing threat levels, who’s responsible for doing what, and setting out required procedures.
- Information Sharing and Threat Intelligence: Cyber-threat levels need to be periodically re-evaluated – together with the organization’s ability to cope with them. Consultations with industry partners and threat intelligence databases can be crucial to this.
- Vendor Management: Dealings with sub-contractors, third-party service providers, etc. Their security posture and how information is shared with them both need to be regularly assessed.
- Cyber-threat Insurance: An essential these days, to provide a financial cushion against the inevitable occurrence of a security incident.
- Staff Training: Acquainting workers with security best practices, current techniques, and what’s required to comply with company policy.
Considerations for Recruitment and Hiring
That last point about staff training is one that should ideally also be included during the recruitment, hiring, and “on-boarding” processes. In addition, prospective staff members should be submitted (within the requirements of data privacy and other laws) to thorough vetting and background checks, to help identify those prospects least likely to become a disruptive or destructive influence on the organization.
Identifying staff members who are most likely to fit the corporate culture of the enterprise increases the chances of hiring employees who will be more likely to comply with the company’s cybersecurity strategy.
The Importance of Workplace Culture
It’s important to foster and maintain a workplace culture that puts security high on its list of priorities – and one in which secure practices are an every day aspect of “work as usual.”
Rather than thinking of it as a separate function, cybersecurity should be embedded within all business processes. Collaboration and a sense of shared responsibility should be encouraged across all departments, with employees given as much flexibility as official policy will allow.
To achieve maximum support for the cybersecurity strategy, this culture of security needs to begin at the top, with chief executives demonstrating their active participation, and acting as an inspiration to those below them on the corporate ladder.
Encouraging Secure Convenience With Single Sign-On (SSO)
Getting employee support for a security strategy becomes that much easier, if workers don’t have to go through a set of frustrating (and to them, largely unnecessary) procedures to get access to the resources and systems they need to do their jobs.
Having to enter separate passwords or security codes to log onto each enterprise software platform, or to gain access to applications and files is one typical source of annoyance for employees. One effective way around this is to introduce a Single Sign-On (SSO) policy. Here, one password is assigned to each worker, and with this they can gain access to whatever tools and resources they require from the corporate network.
Of course, with a single point of access, there’s also a single point of vulnerability. So while Single Sign-On is preferable to having workers jotting multiple passwords on notepads or Post-It notes, SSO passwords must be as strong as possible, and changed on a frequent basis. Designing access protocols with an expiration period for each password is one way to encourage this.
Using biometrics (fingerprint scanning, facial recognition, etc.) with a Single Sign-On policy can streamline the authentication process, and allows for the option of multi-part authentication (password plus fingerprint, etc.) for critical applications or resources.
Using Employee Identity to Ease Endpoint Management
A sense of ownership and personal investment in the overall security of an enterprise also contributes to encouraging employee adoption of the organization’s cybersecurity strategy.
Policies like Bring Your Own Device (BYOD) and the deployment of virtual desktops from the cloud enable workers to use their own hardware, and to connect to office networks from any location. This also has the effect of spreading the boundaries of corporate networks to include numerous endpoints – potential attack surfaces which need defending.
Mobile apps may be secured on the basis of employee identity, using virtualization in a combined approach to workspace delivery and the securing of individual applications. Mobile app and device management platforms may be used to set out and enforce the security conditions which each user must comply with, in order to gain access to the resources they need.
Using Training Programs to Encourage Compliance
Training programs may be introduced to serve a number of purposes. They can be used to help educate workers in security best practices, current techniques, and technologies, while also creating security awareness, and a familiarity of the specific terms of the company’s own cybersecurity strategy.
Electronic learning or eLearning resources are now widely available, to ensure that these training programs are engaging and relevant enough to merit employees’ attention, while effectively communicating essential course material.
Periodic test runs or “fire drills” should also be conducted, to weigh the response of workers to what has been learned, and to help identify weak spots or threat vectors which may have been overlooked.
Using the Cloud to Ease Security Management
Beyond application and resource delivery, cloud services and trusted third party contractors can help organizations ease the burden of in-house security management.
We’ve seen already how vetting and background checks of prospective job candidates can help organizations avoid hiring potential trouble-makers from the outset – and there are specialist contractors who offer these vetting services on a third party basis. All manner of security functions are also available as cloud-managed commodities from the growing class of managed service providers (MSPs).
With a careful assessment of which functions, roles, or assets most require in-house management and protection, and which could be shifted to the cloud, the workload of a company’s security team can be reduced – and more time made available for support, training, and one-on-one consultation with staff members.
Share this Post