Robust business cybersecurity is the cornerstone of good organizational performance in this age of increased cyber attacks. The importance of good online security is reflected in the way that an average of 270 cyber attacks per organization was experienced in 2021 by organizations participating in an Accenture global cybersecurity survey. This was a 31% increase over the previous year. Cyber attacks include unauthorized access of data, applications, services, networks or devices. That’s why taking care of your employee online security fundamentals is especially important.
The situation worsened during the Covid-19 lockdown. Many businesses had to rapidly change to a WFH workforce, which opened new vulnerabilities because cyber criminals then focused on insecure home networks, broadening the range of potential attacks. Verizon’s 2022 data breach report reveals that 82% of data-breach incidents involved a human error. Here’s how making your employee online security fundamentals stronger, will make your organization safer from cypher attacks.
The first and most important step does not involve any specific software. Cybersecurity is an ongoing process that requires continuous vigilance. Being aware of online dangers is essential if you want to keep your business network protected.
For example, phishing is the most common business hacking method. It relies heavily on human error. Cybercriminals have significantly improved their phishing emails, enriching them with personalized details gleaned from social networks.
In addition, artificial Intelligence technologies can now be used to generate deep fake videos, which are already successfully deployed to extract huge amounts of money. For instance, the CEO of a UK company was tricked into transferring $US243,000 into a scammer’s bank account after the scammer had used artificial intelligence to replicate the CEO’s voice on the phone, asking for the funds to be urgently transferred to a Hungarian supplier.
Research has found over half of remote workers use a personal device to access work data, and two-thirds of cyber attacks target remote employees. The first line of defence is comprehensive cybersecurity training. Participants don’t need a strong technical background. For best results, participants should receive online interactive training, non-interactive training, and some classroom-based methods. Such training for a cyber security response plan teaches your employees how to:
- and recover from a cyber attack.
Employees learn how to identify phishing emails, secure their BYOD (Bring Your Own Devices, eg mobile phones), and generate secure passwords. It’s been proven that employees who undergo such training are less likely to click on an infectious backlink.
Is such training worthwhile? The ROI (return on investment) for security awareness training is significant, according to Osterman Research in a 2019 white paper. Obviously, the ROI for security awareness training can vary widely. But Osterman found that, on average, smaller organizations (50 to 999 employees) can achieve an ROI of 69% from a security awareness training program, while larger organizations (1,000+ employees) can achieve an ROI of 562%. Impressive results.
Remote access protection and safe communication
Cybersecurity is a technical capability managed by technology professionals. Such professionals are not always aware of the most effective ways to communicate with varied internal audiences, who would be participating from many different departments, and with different business experience, from many different age groups, locations, learning preferences and skills.
Therefore, it is essential to prepare a communication plan that takes into account the need to relate effectively to your main internal audiences. Your plan should:
- Determine the current knowledge, attitudes and behaviors of your audience about cybersecurity
- Develop objectives – measurable objectives based on improving on foundational levels of awareness, attitudes and behaviors of employees about cybersecurity
- Tailor your main messages to your audience.
- Prepare briefing material and use the latest industry data on the importance of employee attitudes and behavior to cybersecurity.
- Use recent real-life examples to demonstrate the costs and benefits of cyber awareness to individuals and employers.
- Establish effective feedback processes for your audience to make about the communication activities, and ensure these employees know how to respond to cybersecurity issues.
One of the biggest issues regarding WFH policies is securing remote access to corporate networks. Employees who connect to corporate networks from home might share sensitive files over unprotected channels. If you want to learn more about a safe way to transfer sensitive documents, you can read our article on the topic. This article will explain a more general approach to remote access protection.
The most common threat to remote communication is a man-in-the-middle attack. Hackers target unprotected home networks with spyware that monitors their activity. For example, if your employees have a router with a weak password, hackers can brute-force the password and gain unauthorized access.
The results can be devastating. If an employee uses work-related passwords, the passwords will end up in the wrong hands and grant criminals access to your workplace network. The same applies to the security of cloud operations. Uploading unencrypted files to the cloud over an insecure home network will expose the files to third parties.
It’s best to ensure sophisticated encryption algorithms protect your employee’s remote communication. Business Virtual Private Network is the most popular software that will encrypt employee online traffic, hiding it from unwanted attention. Ensure they use a VPN whenever they connect to work intranets from home.
It’s best to verify that the cloud service provider applies additional encryption to their storage. Furthermore, they should also accept files in an encrypted form. Instruct your employees to use data encryption software and to exchange sensitive information only when it’s secured.
Layered cybersecurity model
Corporate networks are massive and extremely complex. Firstly, having a qualified systems administrator and dedicated cybersecurity person for network security is best. Large organizations require a separate cybersecurity department. Keep in mind cybersecurity is not something one person can handle. It would be best to consider application security, network security, employee device security, and much more. They all require different knowledge.
To simplify this process, apply the Layered Cybersecurity Model to segment your corporate network. This method borrows underlying philosophy from the defense-in-depth military model, which assumes that any defense mechanisms can be breached. Regarding computers, all network parts must be separated and protected individually.
For example, a business firewall should be set up at the network’s perimeter so it can inspect all incoming traffic. You should also install an antivirus on employee devices to provide protection if the firewall fails. Moreover, it’s best to back up business data if the antivirus fails and the network is hit by ransomware. To summarize, this process should form an elaborate circle where each part protects the other if it fails.
It is sound practice to hire cybersecurity professionals to avoid future troubles. However, small and medium businesses often lack sufficient resources because cybersecurity professionals are highly-paid. The steps discussed above don’t require deep technical knowledge or a big budget and will provide security from the most common cyber attacks. These steps will enable you better to understand the importance of employee online security fundamentals.