We have all heard the old adage “An Ounce of Prevention is worth a pound of cure”, and in many aspects of our lives, we adhere to the idea. We take a second to lock our cars before walking away. We make sure the lock icon is there before purchasing items online and we (hopefully) don’t write our passwords on sticky notes under our keyboards.
But when it comes to cybersecurity, even though preventing a breach is going to be worth far more than a pound, many companies operate by the cross-our-fingers-hope-it-doesn’t-happen-to-us method. They tell themselves they’re too small for hackers to care about, that their employees are smart and that they cannot afford to do more.
The truth is, though, you can’t afford to NOT do more. With 39 hacks every minute, odds are good your business is going to be hit. It is just a matter of how hard and if the hacker can get by your force fields.
The Time for Prevention is Now
Hopefully, at this point, you’ve completed a risk assessment for your business, and have an idea of your specific vulnerabilities. If not, we have some tips, but now it’s time to put together an action plan based on your findings.
Security Awareness Training
If you follow us, you know we are huge proponents of security awareness training (SAT) because your employees are generally your biggest vulnerability. The goal of SAT is simple: increase security awareness to decrease susceptibility to attacks. There are many approaches to SAT. We love our KnowBe4 program, which utilizes simulated phishing attacks and training on social engineering, but the basic key is getting your employees to recognize potential pitfalls so they can steer clear of them. Take some time and outline your SAT plan. The investment will be worth it.
Note: When planning, acknowledge differences. While we recommend SAT training for all employees, keep in mind that your employees are not all on the same level when it comes to security awareness. Joe in IT might be pretty savvy, and Martha in shipping has made her kids watch so many videos on the topic she could teach the classes, but don’t forget about Sally in accounting who likes to feel important by helping Arabian princes get through painful divorces and Chuck down in the mailroom who will be delighted to hear he’s unexpectedly won a new iPhone. They might not like it, but Sally and Chuck should be in for some extra training.
Physical and Technology-Based Protocols
During your risk assessment, you identified where and what security protocols you already have in place when it comes to your physical space. For instance, you may have key cards to get into certain areas of your office and MFA turned on for your key programs. Now it’s time to identify where there might still be vulnerabilities. Do guests have to sign in? Does the back door need to be locked (or at least have the alarm turned on to stop the smokers from propping it open)? Do remote workers have workspaces set up to protect confidential information?
The same goes for technology. Your risk assessment helped you identify who has access to what network areas, how you store and protect your data, and all other things technology. Now pull out the red pen and start adjusting. If HR Director Larry doesn’t need access to payroll information because your accountant handles that aspect, take away his rights. If Chuck doesn’t need a laptop, don’t give him one. If Sally doesn’t need to access the network room, program her key card accordingly.
As you make plans, keep asking questions. Should you be using encryption software? Do you need remote wipe capabilities on mobile devices? What’s the protocol for getting equipment back from employees when they are no longer using it?
Make some lists. And then make some more.
Since your people are your biggest vulnerability, HR is not only going to need to be involved in the design of your cybersecurity preventative measures but also impacted. Larry will need to assist in writing policies that impact others (which he secretly likes anyway), but he also should be developing safe practices for himself and others involved with personnel. Consider your onboarding and termination policies, as well as training and continuing education requirements.
Terminations especially can put a company at risk. From a sanity lens, it was a relief when John walked out the front door for the last time, and the staff likely toasted his quitting with margaritas. But departed employees, especially disgruntled ones, can lead to breaches. Develop HR practices and checklists to ensure the smoothest transitions possible. You can’t stop John posing as that Arabian price, but you can make sure he doesn’t leave with a box full of passwords or access to company data on his cell phone.
Use your risk assessment to help you put together general policies and procedures to help safeguard your business. Something as simple as doing away with printed employee directories could help. It might seem small, but a printed directory next to the receptionist’s monitor means that the UPS guy (who could be a bad actor who has donned brown for reconnaissance) can see the pecking order of your company and whose email address he should assume when sending out a phish. Review those general practices and tighten things up.
Write the Words, Train the Monkeys
This IS your circus, and these ARE your monkeys, so make sure they are trained monkeys.
Put it in Writing
First, take the time to put your newly revised policies, procedures, and checklists into writing. Then have your designated team walk through them as a practice. Make sure they are practical, applicable, and easy to follow. Having a policy for the sake of having a policy is insane, but don’t be afraid to formalize all things that matter. Have a policy for not allowing reception to hand out internal email addresses? Write it down. Have a protocol for how to handle a lost or damaged key card? Write it down. Bonus points if you have your lawyer sign off on them.
Train, Train, and Then Train Some More
Make employee training so repetitive that your team makes mocking memes out of the sessions. Yes, they might get sick of reviewing company policies, but if they hear Larry’s droning voice in their head enough times, they will hopefully remember what to do when they accidentally send their key card down the garbage disposal.
And remember, everyone needs training. We pick on the Sallys and Chucks and make them attend training and complete SAT modules, but frequently excuse the higher-ups. Remember, sitting behind a brass nameplate, fancy law degree or stethoscope doesn’t make a person less susceptible to making an error that costs your company. In fact, while less likely to be trained these people are more likely to be targeted.
Now Stick to Your Words
Once you have taken the time to develop, refine and publish those policies and procedures, you need to follow them. It sounds obvious, but it is shocking how many companies have policies that are not actually enforced, or that C-level folks assume they’re above. In order to protect against cybersecurity breaches, the laws of the road to prevention need to be followed and followed by everyone.