The old saying goes that any system is only as strong as its weakest link. When it comes to cybersecurity and keeping your networks protected from data leaks, malware and hackers, this quote is true as well. How much of your network security is based on installing new software, isolating areas of the network, and trying to mitigate risks on a technological level? This is often where security starts; But how much of your network security policy addresses your networks users? This is often where the ball is dropped, which is dangerous because this is often the weakest link in your network.
As a technology professional who is user-facing, I deal directly with users who are often afterthoughts in a cybersecurity plan. I’ve seen users do things that would make any cybersecurity professional’s hair curl, everything from non-password passwords (think 12345 or letmein) to sharing sessions with multiple users to clicking on e-mailed links or downloading software without even stopping to think whether or not the sender should be trusted. If you are looking for the weakest link in your cybersecurity chain, many times your users are it. But this is also an easy link to fix with a little education.
Part of the challenge in this situation is the reality that any business is going to have users at varying levels of technological sophistication and proficiency. You will have some users who know not to click on a link from a sender they don’t recognize. But there are the others who simply click without even thinking about it. A one-size-fits-all policy would be ineffective in this situation.
For a truly effective cybersecurity program, you must include your users and address these varying levels of cybersecurity awareness. To put it bluntly, you can’t put technical safeguards in place against stupidity; to mitigate your risks you need to address this weak link in the chain. Some of the things you should address include:
- Crafting policies and procedures regarding data sharing: This should be done in conjunction with Human Resources and should include a Social Media component. You might not think you would have to tell users not to do things like share confidential data on Facebook, but it’s better to be safe than sorry.
- Sharing general tech capabilities of your cybersecurity system: You don’t have to go into the details, but it is wise to inform users about the capabilities and limits of programs you have put in place; don’t let them assume that e-mail filters will automatically scan e-mail links or downloads if they don’t. Let them know what the filters can and can’t do, and inform them of how to proceed when they get these things sent to their e-mail.
- Frequent reminders and teachable moments: It’s always a good idea to require all system users to go through formal re-training on cybersecurity on a regular basis and go through training when they are hired. But it never hurts to remind users periodically of what policies are and what actions they should take. For example, if news breaks that an institution has been the victim of ransomware, take the opportunity to forward the news on to all of your users. Include reminders of your policies, and tips and tricks for preventing something like that from happening at your workplace.
But it is also important not to let your users dominate your security policy. More on that in Friday’s post.