Week 2: Cybersecurity in the Workplace is Everyone’s Business



Creating a culture of cybersecurity is critical for all organizations ‒ large and small businesses, academic institutions, non-profits, and government agencies – and must be a shared responsibility among all employees. Data breaches continue to plague organizations across a wide variety of industry sectors, often exploiting well-known vulnerabilities. Many organizations are struggling to keep their technical security controls current. Increasingly, organizations must take active measures to prevent and respond to data breaches, and specifically address crucial organizational and network issues.


Understanding common pitfalls that lead to data breaches:


In today’s world, the fear of a data breach is at the forefront of every organization. Protecting your sensitive data is critical to the lifeline of your mission. Unmistakably, all qualified personnel is valuable assets to any organization’s resources. In contrast, the role that untrained personnel play in the vulnerability of an organization has massively grown. Human error is a major factor in breaches and trusted but unwitting insiders are to blame. From misaddressed emails to stolen devices to confidential data sent to insecure home systems, mistakes can be very costly. The riskiest of these are well-meaning IT admins, whose complete access to company infrastructure can turn a small mistake into a catastrophe. Simple tasks like having an organization security policy which is enforced from top to bottom allow personnel to “buy-in” and share the responsibility. Implementing role-based access controls that are created according to users’ need to know, enforcing account lockout policies, enforcing password policies, maintaining an incident response plan, and reporting suspicious activities will all help to keep your organization more secure.



Provide security awareness training for your organization:


Your employees are your greatest asset, but they may also pose the greatest data breach risk to your organization. Unfortunately, multiple studies and research point to employees as the leading cause of data breaches. Providing security training and awareness for your organization is critical. You wouldn’t want them or yourself to fall victim to social engineering or a phishing scam. In order for security awareness programs to succeed, it is not enough to merely provide employees with information; we have to change their learning environment to support the development of an improved instinctive reaction to security threats. Seek and implement ways to train your staff in everything from laptop protection to social engineering identification.



Train Everyone:


The use of computers in all fields has become ubiquitous. From mechanics to nurses to waiters and waitresses, computers and applications have been developed to make jobs easier and serve customers faster. With this rise in automation, users are required to learn new ways to do their jobs, often with insufficient training and little attention to security. The recent cases of cars being hacked, customer data being stolen from retail stores, and computers being held hostage with ransomware makes it critical that all users be trained to look for security and vulnerability indicators. Organizations need to focus on providing awareness training for ALL users including looking for vulnerabilities. Frequent, short messages may be a more effective method for providing users with updated information in addition to annual refresher training. All users should be reminded to be cautious about clicking on links or opening attachments in emails, even from people they know. They should also be trained to follow established security procedures for password protection. Users should also be made aware to look for suspicious devices in their areas from credit card skimmers to fake access points. They should be trained on the organization’s policies on access to restricted locations and ensure that all users know the process to confront a user and ask for identification. Users should also ensure that they update devices when notified by the manufacturers.


Provided by CSIAC