What your employees need to do to be cyber secure

Today’s cyber landscape comes with a variety of threats for organisations. The rapid rise in ransomware attacks in recent years, the growth of organised cybercrime groups, not to mention the significant challenges brought on by the advent of remote work on a large scale.

With workforces now dispersed geographically, the possible attack surface has grown significantly while also making it harder for IT and cyber security teams to monitor everything at once. The responsibility to protect organisations from cyber security threats can no longer fall solely on the IT and cyber security departments. Instead, it's up to everyone to take a more holistic approach to prevent attacks.

In fact, ISMS.online recently launched its inaugural State of Information Security report, which surveyed 500 C-suite information security professionals, revealing how over a third (35%) cite building an effective employee cyber security training programme as a significant challenge in their business.

So, what key strategies can leaders use to help train their non-technical employees and reduce the risk of malicious attacks?

Practice good digital hygiene

Having a high standard of digital hygiene is as necessary as having a high standard of personal care because when we don’t look after our devices properly, they slow down and become more vulnerable to viruses.

Encouraging employees to regularly cleanse their machine and check for the latest system updates will help to remove bugs and patch security threats that could put your organisation at risk. Allowing access to a VPN to stop connection through unsecured networks while remote working is also equally as important.

Another hygiene factor is to ensure your teams have strong, unique passwords that are at least 12 characters long. As computers starts to gain in speed and capability, it also becomes easier for hackers to unlock simple passwords. Making it equally as important to securely store – as well as create – strong passwords for each account employees have access to.

It's also considered best practice to educate all employees on the importance of being hyper-vigilant when answering emails and browsing online. For example, never clicking on a link or attachment from an email address they don’t recognise, checking addresses for spelling mistakes, and being cautious not to give away any sensitive information.

Finally, educate employees on how to identify secure websites – a standard website URL starts with either HTTP or HTTPS. The S indicates whether the website is secure and protected. Without this letter, the website may lack its own security measures, which could lead to a serious set of consequences for your business.‍

Integrate security by design‍

With the rise in permanent work-from-home setups, most businesses that relied on in-house (on-premise) servers are transitioning to the cloud, or a hybrid mix of both, to secure their data.

There are many benefits to adopting cloud, including the ability to scale solutions up or down on demand without heavy investments in time or money. But storing data across the cloud doesn't necessarily mean you are always protected from data theft and loss.

Most cloud security models operate via the shared responsibility model that will always put more actions on the user rather than the vendor. For example, Software as a Service (SaaS) places the total responsibility for endpoints, misconfigurations, networks, and user security on the customer – while the cloud service provider only manages general application security.

According to the Enterprise Strategy Group, 33% of IT leaders using SaaS lean heavily on vendors to protect their data in the event of a cyberattack, but most security solutions are split across more than one cloud provider, making it challenging to keep track of who is involved in a cyberattack let alone understand what they are meant to be fixing.

Not to mention the fact that our own BSS research into how CISOs can succeed in a challenging landscape revealed that cloud engineering is one of the hardest areas to hire qualified staff for, with a third of CISO’s agreeing (34%), that’s despite data security being one of the top priorities for a further third (32%) of those surveyed.

This emphasises the need to integrate security into every business process, making it a deliberate and thoughtful element of every strategy and product and service lifecycle, rather than an afterthought or something that it is assumed is handled by others.

‍Have zero-trust‍

At its core, zero trust challenges the traditional notion of trust within network architectures, advocating for a more robust and holistic approach to security by verifying and validating every user and device attempting to access a network or resource, regardless of their location or previous trust status.

This level of high security and verification would be incredibly useful across a multitude of sectors. For instance, financial institutions can significantly reduce the risk of data breaches and unauthorised access by implementing stringent access controls, continuous monitoring, and multifactor authentication.

Similarly, in healthcare – where patient privacy is of utmost importance – zero trust helps prevent unauthorised access to medical records and secure critical infrastructure by ensuring that only those who need to know can access certain patient data.

In an era marked by increasingly sophisticated cyber threats, no organisation can afford to assume trust blindly.‍

Collective responsibility‍

Ultimately, cyber security is complex and there are unique challenges for each organisation. And while IT and cyber security teams bear the majority of the weight of responsibility for maintaining a robust cyber security strategy, everyone has an important role to play in protecting companies from cyberattacks.

While it may seem daunting to navigate the complex world of security without technical expertise, the first places to start are education and authorisation. The above strategies will help to build an effective knowledge of cyber security strategy and help individuals understand the impact they can have.

But it is important to remember that cyber security isn't just a tick-box exercise – it’s a continuous cycle that relies on ongoing vigilance from all involved. And as ever, it is those organisations that go beyond the basics who will be best prepared for the inevitable because cyberattacks are never a case of ‘if’ you get attached, it’s a case of ‘when’.