How to Manage the Most Vulnerable Aspect of Enterprise Security: People
IT must consider the cybersecurity risk posed by the human element in their enterprise security framework. The number of data breach incidents occurring on account of human error is on the rise. The sources of human error include bad habits, low awareness of security threats, and the increasing sophistication of the social engineering attacks. Bulk of them can be addressed with some simple steps.
1. Accessibility
We have all lost our devices at some point or another. Well, at least most of us have. So, if and when an employee loses their device, they should feel comfortable sharing this information with a security expert in your company who can address this. All employees must know whom to approach when they lose their device and should feel comfortable approaching them. Having ways to deal with this situation through Mobile Device Management (MDM) or other ways is no less important either.
2. Create a List of Bad and Good Habits
A big part of the human risk are bad habits. People using their phones without a security lock or encryption, leaving their computers without logging off securely, keeping sensitive information on freeware or easy-to-hack software, and so on are just a few of them.
IT heads can make a list of bad habits that need to be addressed and educate the employees on more secure and safer alternatives. They can even create a whitelist of apps and services that employees can use on their BYODs. Have a policy and review that policy often. If you don’t have a policy have an expert write one with you, not for you.
3. Educate on Common Social Engineering Techniques
The bulk of the victims that fall prey to social engineering techniques are tech-savvy employees. This indicates low awareness of the cyber threats that they face. Therefore, there is an urgent need for IT heads to educate their employees on the most common types of social engineering techniques employed by hackers such as lost & found flash drives, general phishing emails, fake office attire or fake-uniformed access to the office, and so on.
4. Simulated Attacks
Simulated cyberattacks are gaining popularity among organizations serious about improving their enterprise cybersecurity framework. In fact, entire business models are today built around such services. One of them is Vishing as a Service (VaaS). A VaaS provider makes simulated vishing calls on the organization’s behalf to their employees and identifies the weak points in their human chain. An extensive report is generated based on this, which allows organizations to improve their security posture.
5. Prevent Oversharing on Social Media
Although this may be met with resistance, social media users often share a great deal of information about themselves online. A silent observer can monitor their online behavior, learn about them, and use that information to trick them or their colleagues in creative ways. They can send job offers on LinkedIn, along with compromising links. They can use this knowledge to “guess” their passwords or answers to their security questions. The possibilities are endless.
Employees may ignore calls by the organization asking them not to share “too much” but will be more amenable to employing better privacy settings on their social profiles. So, employees with access to confidential corporate information can be informed to use better privacy controls on their social profiles, so that their information does not fall into the wrong hands.