Irrespective of the size or industry sector, businesses are increasingly facing cyber and cyber-physical attacks. Businesses have assets which are important to cyber-criminals: employee, customer and company data, communications information, money, trade secrets, and so on. Combating cyber-criminals using a selection or combination of commercial and/or free cyber-security tools is one important part of an overall cyber-security preparedness and prevention strategy. However, another essential part of such a strategy for any business must be the human element: a well-informed, supportive and supported workforce. The internal threat (the threat posed by malicious or unwitting employees) is a real one, however, it is still safe to believe that most employees do not turn up to work looking to deliberately bring down the companies they work for. End-users are crucial to the cyber-security processes of companies and employers must invest in educating and supporting their employees in this area.
Recommendations outlined here for improving employee engagement in the cyber-security goals of organisations must be supported with relevant security tools and technologies and a consideration given to acceptable and unacceptable risk.
Supporting employee engagement in the cyber-physical security strategy of companies
1. Communicate the security policy
Companies should ensure they have a clear, easy-to-understand security policy and that it is communicated widely across the organisation. It may even be useful to display a summarised version of the security policy around the offices. The policy and its summary should identify a named person that employees should report suspected security incidents to; this person can be a manager, company security managers eg a Chief Information Officers (CIO)/ Chief Information Security Officers (CISO) or an Incident Response Team. The policy may also provide scenario-specific suggestions for how employees should respond to specific scenarios such as ransomware-locked machines, discarded USB sticks, suspicious phone calls among others.
2. Train early and train continually
Companies should have a robust security awareness programme in place. Security training is often treated as a tick-box and form-filling exercise with no real interest in helping the employee gain any real knowledge on what to avoid and why they need to avoid certain habits and sites. An internal cyber-security engagement strategy should focus on the benefits of a good cyber-physical security culture (cyber-hygiene). The training should be provided in a way that employees (new, old and those changing roles) are engaged in the training process and should avoid situations where (and this is not unheard of) employees scroll through the training slides/videos and then guess their way through multiple-choice questions. All training should take the employees closer to the reality of attacks: it is not enough to talk about the impacts of successful attacks; it is important to demonstrate the potential impact and losses to the company which can include revenue, reputation and time loss, company closures, and how successful attacks can even impact the future employment opportunities of the employees themselves.
Companies may also consider rewarding or, at the very least, praising employees who detect and/or prevent dummy (and real) attack attempts.
3. Bespoke training
It may be useful to consider customised training packages because, in some cases, one-size-fits-all training packages may not be suited to all industries and employee roles. Additionally, any potential for internal security staff to support or enhance this external training should be explored.
4. Employee wellbeing
Disgruntled employees are recognised as being sources of some of the internal malicious attacks that companies face such as data theft and malware deployment. Employers should recognise this potential threat source and use approaches like internal soft campaigns such as away days, one-to-one discussions with employees about their concerns, training and an overall support structure to identify issues and potentially reduce the risk of disgruntled employee attacks.
5. Company rhetoric
It is essential to encourage security teams to avoid using statements such as “end-users are the weakest link”. These can and should be replaced by a supportive, welcoming and understanding attitude, guiding employees in the right direction without being derogatory.
6. Lay the foundation
Companies should consider using their job advertisements to highlight the company's keenness on security best practices so that potential joiners are aware of the enthusiasm for security within the company.
Beyond obtaining senior-management buy-in, it is crucial to make employees part of the overall cyber-physical security process. It is important to avoid taking a “rap their knuckles” approach with employees if they make mistakes. Instead, an engagement approach should be taken, with the aim being to make secure practices an integral part of business as usual. It is essential to develop a culture where employees feel free and even enthused to make reports within the organisation about their cyber-security concerns knowing that their concerns will be dealt with seriously.
8. Continuous preparation
In addition to penetration tests on technological infrastructure, companies should carry out regular human-based penetration testing exercises and cyber-attack drills. These can include social engineering and fraud-based exercises which should help put employees in the frame of mind of always being conscious of, and prepared for threats which they may face.
9. Know your employee
By being observant of employee behaviour and picking up on changes such as anxieties, atypical late/early working hours for no known work-related reason, companies may be able to identify successful attack campaigns, eg blackmail involving data theft, and put a stop to these.
10. Personal threat vectors
Inform employees that attackers may target companies by targeting their employees through their personal emails, phone numbers and even their homes. Awareness of this possibility should hopefully encourage employees to employ the same cybersecurity culture developed at work to work data and appliances wherever they work from.
Companies must endeavour to provide employees with the resources needed to do their work effectively and efficiently. If employees require, for instance, file-sharing tools for their work and nothing is provided, they may utilise freely-available file-sharing sites. This might put customer Personally Identifiable Information (PII) at risk with the company therefore potentially breaching the Data Protection Act (DPA).
12. Security affects employees at all Levels
It is crucial to provide cyber-security awareness training for senior-level staff and ensure that, if they have been victims of successful attacks, the company is notified so appropriate measures can be taken to reduce the impact of the attack by, in the case of whaling attacks for example, perhaps stopping further funds or data from leaving the company. In addition, the behaviours of senior-level staff have an influence on their junior colleagues: a lakadaisical attitude towards cyber-security by senior management will be counterproductive to an overall company security strategy.
13. Stay informed and current
All security and all senior staff must stay abreast of the latest trends, threats, risks and approaches to security.
It is essential to make it clear to employees that a certain degree of accountability for cyber-security hygiene with respect to the company assets they interact with will be expected of them. This can be supported by requiring employees to acknowledge that they have attended mandatory, relevant cyber-security training sessions which relate to those assets.
While security tools can identify and pick up on some threats, it is important to support these tools by having vigilant employees supporting an overall cyber-security strategy. When employees are engaged and involved they begin to own some of the security processes, support them and even make reports about things that concern them such as suspicious phone calls, emails and discarded devices.
Contributed by Edewede Oriwoh MSc., PhD, cyber/physical security researcher and enthusiast.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.