Page 41 - Cyber Warnings
P. 41
5. Train and Retrain All Employees on Best Practices INFOSEC Policies
So, now you have a great ‘living’ corporate security policy. Do your fellow employees from the
“C” levels down to the receptionist understand these policies? Are they helping you implement
them or are they becoming difficult and a hindrance to your documented regulatory compliance
and best practices? Of all the policies you’re implementing, which one’s will most likely cause a
breach or data theft, if an employee violates the policy? The most important would be a Bring
Your Own Device policy (BYOD) as it’s a network asset that you are allowing to cross the
bounds, outside of your firewall and then returning, most likely in a different (maybe infected,
maybe more insecure) state. Others include ensure devices have the latest patch and
application updates, as well as proper configuration and system hardening, to reduce the risk of
Common Vulnerabilities and Exposures (CVEs) that get exploited by hackers, cyber criminals
and malware. Antivirus software should be up to date but it won’t stop the latest exploits –
especially Spear Phishing, Remote Access Trojans (RATs) and Ransomware. This requires a
better educated employee population who understand that sending and receiving un-encrypted
emails is a big risk, emails with attachments and being too trusting to click links and open
attachments without verifying the senders’ true identities. This leaves them wide open to being
socially engineered and victimizing your organization.
Steps involved:
1) Train employees about the risks of BYOD, lack of updated systems, traveling with
laptops using weak passwords, no encryption and the biggest risks of being spear
phished, then being infected with nearly invisible malware.
2) Schedule these training sessions using statistics, graphics, memes and other tools to
make it ‘pop’ – it should be fun and visual so they will enjoy the learning experience.
You could even make it a game. Whatever it takes, get the employees engaged and
understanding the value of best practices – stronger passwords, strong encryption,
regular backups, safer BYOD, etc.
3) Send out INFOSEC updates. Give out awards. Keep the employees engaged. The
more aware they become, the lower the risk of victimization.
41 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide