A cybersecurity expert lays out crucial HR practices to amplify attack readiness for modern businesses
The human element remains the weakest link in cybersecurity, as an annual report reveals that 85% of all data breaches are in one way or another caused by an employee. As digital technologies become essential in modern organizations, no industry is safe from cybercriminals exploiting their weak spots.
“Identifying where the risks lie is a good start. But organizations also need to invest in cybersecurity awareness campaigns that address specific risks,” says Oliver Noble, an expert in cybersecurity risk management at NordLocker, an encrypted cloud service provider. Below, he lays out how security-oriented work culture is put into practice at NordLocker and encourages other companies to implement a similar approach.
Security training embedded into onboarding
First impressions matter, so emphasizing security from day one helps instill the company’s priorities. Enroll new hires in interactive courses that go over the company’s policies, inform why they are important, and quiz the participants with real-world situations. This makes cybersecurity a learning experience rather than another form to sign and forget. If internal training is not an option, your organization might want to consider hiring a third party to do it for you.
The use of psychological manipulation to gain access to confidential information is the most common type of cyber threat. That’s why courses on how to identify them should fill a considerable portion of your cybersecurity training regime. “At NordLocker, we have had our share of such attempts. We’ve received “friendly” LinkedIn messages asking for internal information. We’ve even seen hackers posing as the company’s senior executives and sending suspicious messages to employees,” reveals Oliver Noble.
To counter social engineering attacks, preach situational awareness and instruct employees to avoid clicking on any links in emails and downloading any file attachments unless they come from a verified source. Employ experience-based training. Consider deploying drills that imitate phishing attacks on the entire staff — this will give you an overview of the company’s security posture. While for employees, the results of such a drill could end up being an eye-opening experience. Open source tools like GoPhish are great for such simulations.
The physical aspects of security are as important as their digital counterparts. They range from trespassing events, such as piggybacking or tailgating, to locking the workstation when not at the desk. If applicable, establish clear WFH/WFA protocols, such as avoiding public Wi-Fi. Also, promote general environmental awareness when discussing work-related information. Physical threats to cybersecurity are genuine and should be considered in every course.
On the development front, consider embedding security into the DNA of your programming operation. Investing in secure development training and checking the integrity of your code with open source tools such as Web Security Dojo will go a long way. “At Nordlocker, we have recently started deploying a security champion program. It makes sure that every team of developers has at least one person well versed in secure coding, who amplifies the security message for the entire team,” explains Oliver Noble.
Provide easy ways to reach resources for learning and to report potential threats. Create special channels for alerting any suspicious activity and get help from staff trained in security risk management. Together with a healthy company culture that promotes openness rather than secrecy, these practices could reduce cyberattacks and mitigate the damage if one should happen.
Lastly, ensure that security training is a never ending process. New threats emerge regularly, therefore it is vital to be vigilant and keep your staff updated on any developments. Make known that every employee, from top to bottom, is relevant to the company’s cybersecurity. Regularly brief the board members on cybersec happenings and once in a while run company-wide cybersecurity knowledge tests.