Your employees may be your greatest information security risk, but security takes a whole company. Management, IT and regular employees all need to be fully trained and on board.
When it comes to cybersecurity, we hear a few common refrains. "Security is top-down." "Invest more in your IT." However, the current trend is to place the blame squarely on your employees. Rightfully so, it might appear. After all, cyberattackers rely on human error as the greatest security risk. The obvious reason is that, in most companies, the majority of teams are plain old employees. It follows that employees open more emails, click more links, have more devices and are more likely to use public Wi-Fi while traveling. Highlighting that human error is responsible for 90 percent of attacks makes sense. While singling out human error is appropriate, it should be because other prime areas of concern have been addressed.
Focusing on your employees as your greatest risk in cybersecurity is fair, but only if we combine it with two caveats:
1. IT departments have the resources to properly execute security.
2. Management supports, encourages and actually enforces IT policy.
If we think of cybersecurity holistically, three organizational pillars share responsibility: IT, management and employees.
IT department responsibilities
IT investment is the clear first line of defense. Cybersecurity technology is very efficient and effective. Despite the barrage of doomsday headlines we hear, a huge majority of threats are stopped before ever reaching your employees' inboxes. Given that over 90 percent of attacks start with an email, providers like Gmail intercept more than 99.9 percent of unsolicited emails. URL defense solutions are stopping many click-to-phish attacks, and machine learning is increasingly integral to security software. Endpoint protection and antivirus software have made many cyberattack vectors less profitable for criminals or obsolete.
IT admins must be able to make the business case for tighter security. The average manager cannot be expected to stay on top of the latest security technology and appropriate expenditures. The solutions should be appropriate for the industry and its regulations, maximizing security while minimizing inconvenience.
Admins should also regularly test system integrity and resilience, and implement phishing tests to monitor employee awareness. On a more technical front, IT admins need to regularly update software and patches – integral factors in security – while ensuring backup integrity, an essential continuity element.
These tactics are all essential to the IT plan and shield your company against a huge majority of threats.
Cybersecurity investment is a key first step, and management buy-in can be a major obstacle. Without management support, programs cannot be properly implemented. Cybersecurity is constantly evolving, and the commitment to it must be constant. This is where the case that cybersecurity is a top-down effort holds water: While IT departments should be able to make the business case on cybersecurity investment, it is ultimately up to management to give budgetary approvals. Management needs to conduct a cost-benefit analysis on security technology, being aware of the costs of a breach and how much spam alone can cost the business.
Managers needs to ensure that the awareness and training program is being adopted. Leading by example is a must, as is a zero-tolerance policy for putting your company at risk.
One threat is CEO fraud, or a business email compromise scam, which is phishing targeted at those in management who can release funds. C-level executives – and any other managers with permission to authorize financial transactions – must receive additional training and have multifactor authentication (MFA) for such transactions. (However, scammers are increasingly figuring out ways to bypass MFA, so it's not foolproof on its own.)
The employee program
With IT and management on board and technology in place, then yes, your employees are your greatest cybersecurity risk. Nearly all of the above falls outside the responsibilities of your non-IT employees. The common idea that human error is the greatest risk to cybersecurity is true – if we add "when they aren't following the IT plan."
Basic elements of that IT plan should be how to spot and identify a phishing or malicious email, how to protect personal data, password management, the risks of email attachments, and how to carry over best security practices to their personal devices (especially given the increase in BYOD).
When traveling, every employee needs to understand the risks of connecting to public Wi-Fi and not connecting USBs, and be mindful of their devices at all times.
Employees need to feel comfortable with IT teams and know that no question is too stupid. Yes, IT departments are overworked, but if employees build a habit of reaching out to IT about a suspicious email, it will save a lot of time, money and aggravation in the long run. It's important to create an environment that encourages employees to think twice before opening or clicking that suspicious email.
Whose responsibility is cybersecurity?
Targeted phishing is where employees really are the greatest risk. But if the proper steps are taken, responsibilities delineated and the importance of mitigating cyberthreats understood, the chances of a security breach are dramatically reduced. Though there are things employees need to be held accountable for, it should be evident that cybersecurity is an intra-organizational effort and requires cross-silo buy-in to be effective. Ultimately, your security is only as strong as your weakest link.