The most sophisticated technology solutions will not prevent someone from clicking on the wrong link in an email or text message. This is a critical point of weaknesses that organisations must be vigilant about addressing. The good news is that it’s not rocket science.
“The basic things that people need to do are quite simple, including training and education around computer hygiene,” says David McNamara of Commsec, a provider of managed cybersecurity services.
It includes ensuring that software patches are kept up to date and the latest software updates installed across all devices. It’s also about ensuring your organisation opts for the best solutions available.
“There is an old saying that if you buy cheap, you pay twice. You have to take cyber security seriously,” says McNamara.
That means tooling up. “Providing employees with up-to-date tools and technology is a must to protect the company. A business must have visibility into all suspicious behaviour, report, then remediate at speed,” says Karl McDermott, head of connected solutions at Three Ireland.
“Being on the hunt for threats is essential and Three Ireland has services to help support this, such as 3MobileProtect which can help protect employee user credentials on mobile devices by stopping the latest SMS, social media and WhatsApp scams in their tracks.”
Smart monitoring also spots poorly secured devices. However, the most common weakness in the most secured network remains the end user, McDermott adds, “so training end users is vital”.
Start with a clearly defined, documented cybersecurity policy. “The policy needs to apply to all aspects of the IT work environment including mobile devices as well as laptops and physical security,” says McDermott.
It’s not enough to just have a policy – it needs to be promoted and understood, he adds: “Make sure the policy is free of technical jargon and is something that the employees can relate to through simple examples.”
Set aside budget for regular staff training. “The training material also has to be simple, with examples and quizzes. Training cannot be a once-off thing; it needs to evolve over time,” says McDermott.
Then test your staff against common attacks. “Send fake phishing to employees to see how they react. Do they click on the link or do they follow the cybersecurity process and report the email?”
Leave USB keys on desks. “If any employee inserts one of them into a laptop, the key should instigate an alarm back to the security team,” says McDermott. “And send a fake smishing SMS to employees’ phones and see whether they click on the link or report.”
It’s not about catching people out but supporting staff so that they better appreciate the importance of cybersecurity, says McDermott.
“Should they fail any of the tests, the remedial action can be to have them retake the training,” he adds. “Alternatively, the company can congratulate the employees who do report the attacks.”
