How secure is your company from cyber threats, and what can you do to protect it? According to the Ponemon Institute, a research center that focuses on privacy, data protection and information security, a little more than one-third of data breaches are caused by people, such as a careless employee or a negligent contractor. A security disaster can be triggered by something as simple as a single click on a malicious link in an email that an employee receives.
This is why educating and training your employees about cyber security is paramount. They don’t need to be IT experts to understand how to be safe; basic security knowledge will go a long way.
Once employees go through an initial training program, it’s up to company leaders to make sure employees retain this information and, more importantly, apply it. The following 12-step program will help guarantee that your staff stays smart about security.
1. Quiz your employees. Randomly give multiple-choice quizzes a few times every year to your employees. This will help keep what employees learned during training fresh in their minds.
2. Check workstations. This helps make sure that desks aren’t security violations. Think sticky notes with sensitive information, such as passwords, on them. Are filing cabinets locked? Are computers left on without password protection when employees are away from their desks?
3. Plant a spy. Hire someone in the security business that none of your employees knows, whose job is to trick employees into giving up sensitive data. This white hat social engineer should be experienced in the art of "trickery" to see who falls for the trap.
4. Stage fake phishing attacks. See who gets duped into clicking a “malicious” email link by sending staged phishing emails to employees’ inboxes. Of course, the site that the “malicious” link leads to will be safe. These test emails should contain clues that they're not from the alleged sender.
5. Don’t embarrass your employees. Don’t waste time criticizing employees who fall for your pseudo traps. Instead, help them understand why it's critical for them to be on guard—the next trap could be the real thing.
6. Teach tricks and tips. Share the details about how to spot a phishing scam. For instance, grammatical and spelling errors in an email are one tip-off it’s probably malicious. Also, if the sender’s URL contains an IP address or seems to originate from a domain that’s different from the purported sender’s domain, it's most likely not legit.
7. Warn your staff about the legal ramifications. If your organization must adhere to government regulations, inform employees that a security breach could result in possible criminal, financial or legal repercussions.
8. Retest. Consider quarterly tests directed at the duped employees to see if they’ve learned anything.
9. Empower your employees. Your staff needs to be coached on how to ask unfamiliar people for credentials or to prompt them to ask a stranger what they’re doing in the building. Employees should be instructed to always contact a supervisor or security person immediately at the first sign of something suspicious.
10 Learn from the mistakes. After all the testing rounds and follow-ups have been completed, create a list of the lessons learned so you can improve the efficiency of your security awareness program.
11. Repeat. The key to a successful security-awareness program is to make it ongoing and interactive, and to include various educational formats that have inherent repetition. Tests shouldn't always be the same or have a predictable pattern; changing things up will prevent employees from memorizing answers.
12. Encourage daily awareness. Just a few more tips to keep the security awareness going: Post security awareness signs around the building, schedule short seminars and workshops, and publicly recognize employees who take security seriously.
By putting this 12-step program into place, you'll be able to better protect your company from the increasing number of cyber threats that strike businesses daily.
Robert Siciliano is the author of four books, including The 99 Things You Wish You Knew Before Your Identity Was Stolen. He's also a corporate media consultant and speaker on personal security and identity theft. Find out more at www.RobertSiciliano.com.
Read more articles on technology.
Photo: Getty Images