Employees are fast becoming the weakest link in the defence against cybercriminals. Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error often opens the door to malware or information theft.
Sean Duca, vice president and regional chief security officer, Asia Pacific, Palo Alto Networks, said, “Successful attacks often involve poor processes or human error. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats.”
Palo Alto Networks has identified three key ways businesses can protect themselves against such threats:
1. Incorporate security awareness into the organisational culture
Businesses with strong security processes are still vulnerable to innocent mistakes and human error. Employees become agents of a malware attack when they simply click on a link in an email they may have received from an internal team member or outside contact. Attackers are constantly developing new techniques to break into networks, including targeting employees in areas that may be less aware of the risks.
To remain safe, businesses need to conduct frequent and recurring training for employees regarding the various techniques attackers use, and how to identify suspicious links as well as possible new risks. To reduce errors, awareness of these risks needs to be ingrained in the corporate culture of the organisation.
Sean Duca said “It’s incumbent on all employees to take responsibility for their cyber practices, this must include a top down approach. If an executive doesn’t take their security seriously, their employees won’t. This includes being aware of the possibility for legitimate websites to be hacked and the increase of compromised websites targeting users with specific interests.”
2. Move beyond a compliance-driven approach
Compliance-driven approaches have proven to be ineffective for organisations when used for employee security training. Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace.
Employee training may also take different forms, including the increasing practice of gamifying cybersecurity education programs.
Sean Duca said, “Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with phishing emails correctly.”
3. Limit the number of employees with administrative access
Only those with appropriate clearance should be able to access files. Giving all employees blanket access means attackers only need to successfully infiltrate once to have full access to a business’s entire system.
Businesses should also have security controls in place to monitor and control against human error. For example, use multi-factor authentication to restrict access to a document store or application which will limit exposure and sensitive information and ensure cybercriminals cannot access data and systems.
Sean Duca said, “By ingraining cybersecurity practices within organisational culture, introducing new ways of training, limiting access to only those with authority, and educating employees to practice safe and secure behaviour online, the cyber risk for businesses can be greatly reduced.”