- Enhance business cybersecurity against insider threats by keeping rules for employees simple and easy to understand.
- Customize effective security training and guidance for employees by following the same playbook that attackers use.
- Foster an open environment for information sharing among IT and security teams and employees to enhance security.
- Eliminate rules that complicate password practices for employees.
“One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose,” says Maarten Van Horenbeeck, VP of Security Engineering at Fastly, in the Harvard Business Review.
According to Horenbeeck, who served in Amazon’s Threat Intelligence Team and held security roles at Google and Microsoft, businesses can better equip employees against targeted attacks by taking the following steps:
Use attackers’ playbook: improve security training to focus on attackers’ tactics
IT personnel or those in charge of providing employee security training can customize sessions to teach employees what an attacker would do effectively in a targeted campaign. Horenbeeck calls this method as “teachable moments” because it provides focused information to specific individuals in a way that’s applicable to them.
He adds that current training techniques tend to overwhelm employees with general guidance and comprehensive information during mandatory half-day security training sessions. Long, mandatory training sessions are typically ineffective because many people tune out due to information overload.
“…The most dangerous phishing emails — spear phishing attacks that are targeted at high-value employees — work because they are customized to fool exactly the person they are sent to. Requests for tax information and fake wire transfer requests look like they are sent from the CEO or CFO to someone in the finance department using the appropriate language,” Horenbeeck explains.
Eliminate rules that complicate password practices for employees
New guidelines by the National Institute of Standards and Technology (NIST) advise businesses to allow the use of password managers so that employees are able to paste passwords into fields.
The guidelines also recommend using multi-factor authentication and key fobs.
Foster open culture among employees, the IT department, and security team to enhance information sharing for improving cybersecurity
Horenbeek explains, “The security and IT teams need to be seen as trusted and helpful advisors to employees, instead of as regulators.” To improve this dynamic, he recommends that businesses increase opportunities for interaction between employees and IT.
This relationship-cultivation can be achieved during office hours to reduce the potential negative cultural and security effects that could come from animosity between IT staff and general employees.
IT staff should not treat employee questions and help requests as “annoyances” and employees should not treat IT and security staff as regulators.
The key takeaway is for all to work together to enhance cybersecurity as a unit
As the 2017 Verizon Data Breach Investigations Report reveals, employee alerts are one of the most common methods to discover cyberattacks. So providing them with information/tools needed to identify attacks is a major part of businesses’ security program.