Intelligent CIO North America Issue 03 | Page 84

FINAL WORD they are more encouraged to follow best practices and help chip away at the behaviors that cause accidental insider issues , such as forgetting to change default passwords or neglecting to use strong passwords . And as more employees follow suit , the human firewall acting as the first line of defense to the organization will only grow stronger .
3 . Establish straightforward best practices
While this is a step in the right direction , establishing a baseline for good cyberhygiene must begin with CISOs helping their employees take cybersecurity seriously . This can be achieved in the following ways :
1 . Prioritize cyber awareness training
Social engineering attacks are extremely prevalent across organizations simply because they work . In fact , Verizon ’ s 2019 Data Breach Investigations Report ( DBIR ) found that approximately one-third of all data breaches involved phishing in one way or another . To combat this risk , CISOs must educate their employees about common attacks that could appear in the form of phishing , spear phishing , smishing , or other tech support scams . Whether these lessons are provided through online meeting spaces , video chat or email , they should be prioritized . Understanding these threats and their associated red flags will be critical in helping employees avoid falling victim to fake emails or malicious websites .
In addition to teaching about common indicators of cyber-scams ( i . e ., the promotion of ‘ free ’ deals ), these training offerings should also feature simulated phishing exercises designed to test knowledge and determine which employees might need more assistance . Through tactics such as these , employees will be better equipped to know when they are the target of a social engineering attack and can , therefore , act accordingly . Fortinet ’ s NSE Training Institute offers a free Information Security Awareness training service to educate employees about the increasing risks of cyberattacks and how to identify threats .
2 . Create a partnership between the security team and other departments
Cybersecurity cannot fall on the shoulders of the security and IT teams alone ; especially as cyberthreats continue to grow more sophisticated and challenging to detect . In addition to ensuring that employees can identify phishing attacks , leaders should also encourage collaboration between the security team and other departments .
This means helping both sides understand expectations . While the security team will be the expert in terms of determining the risk and threats , other departments will be critical in helping to develop user-friendly policies that are easy to follow both in the office and in remote work environments , even for those who are not entirely cyber-aware .
Through collaborative efforts , CISOs can ensure that all individuals across the organization are not only aware of security policies , but also understand the impact their actions can have on the organization as a whole . Helping employees understand safe cybersecurity practices and the ramifications their actions can have should lead to improvements in how these individuals respond when confronted with a suspicious email or website , even while working from home .
When employees know what is expected and feel like they are a part of the team ,
Even once employees are made aware of what to look for in the case of a social engineering attack , they may still need some guidance when it comes to next steps . While it is easy to ignore or delete a suspicious-looking email , what about those that appear normal that the receiver is still unsure about ? In this scenario , CISOs should encourage employees to ask themselves certain questions to help make the right judgment call : Do I know the sender ? Was I expecting this email ? Is this email invoking a strong emotion like excitement or fear ? Am I being told to act with urgency ?
While these questions should help clear up any confusion in regards to whether the email is malicious , the receiver should still take extra steps to protect themselves and their organization . This includes hovering over links to see if they are legitimate before clicking , not opening unexpected attachments , calling the sender to verify they actually sent the email and reporting all suspicious emails to the IT or security team . By explaining these steps to their employees from the beginning , CISOs can avoid negative repercussions down the line .
The ability to be cyber-aware is a critical piece of the puzzle when it comes to keeping organizations secure . Whether employees realize it or not , their actions could open the door for cybercriminals to access sensitive information , meaning passivity towards security is no longer acceptable .
By prioritizing training and collaboration between departments and the security team , CISOs can lay the groundwork for a strong culture of security . Identifying suspicious behaviors , keeping devices up-to-date and practicing safe cyber behavior should be built into the fabric of all job roles to ensure that the human firewall continues to stand firm . •
84 INTELLIGENTCIO www . intelligentcio . com