These days, employees seem to think that cybersecurity is entirely the responsibility of the IT staff. Nothing could be more wrong, given the rising rates of insider threats. Such a position reveals the lack of adequate cybersecurity awareness training for employees, and workers must understand that every endpoint is a potential entry point for an attack and must be trained to take preventive actions.
This is especially important in this period of COVID-19 and lockdown restrictions, which has sent many workers home to do their job remotely. Without the direct oversight of the IT staff, WFH employees (and even office staff, with BYOD policies) can inadvertently expose company data and provide an avenue for malware to infect the system. Now more than ever, cooperation is important for mitigating cybersecurity threats. Cybersecurity is a company-wide necessity, and it certainly does not help if one employee is undermining the security actions of others.
Develop an internal cybersecurity policy
The IT staff in all companies have protocols set based on different threat scenarios that dictate the precise steps to take in case a threat or a breach is noticed. I believe such protocols should be cut across the entire workforce.
Getting employees to cooperate on threat mitigation begins with letting them know what their roles and limitations are in handling data. Such a policy would regulate different internal security procedures such as authentication, data sharing, emails, software installation, and internet connectivity, among others. The policy must also define the process of carrying out security checks and what employees should do if part of the network has to be quarantined.
The importance of this policy is that it lets employees know precisely what to do when faced with a threat. It also enables them to carry out steps to mitigate that threat without affecting the discharge of their job. Hence, an IT security policy must be clear and detailed, and non-compliance should result in sanctions depending on the degree and risk of the violation.
Make your Employees into Stakeholders
Conduct all the cybersecurity awareness training you want, without addressing nonchalance, your organization would remain exposed to the same insider threat risks. You must make your employees understand the importance of the data and information your organization works with.
This is easier in certain types of industries, such as financial institutions and aviation, which both have stringent government-backed regulations. For many other sectors, the law does not do so much and the importance of cybersecurity can easily be lost on your employees.
One way to get your employees to pay cybersecurity the utmost attention is to create a stakeholder team on cybersecurity that consists of representatives from all the departments in the company and headed by a senior IT executive. This is different from the regular IT department in that the stakeholder team would only perform oversight functions.
The main purpose of the stakeholder team is to ensure that compliance with the cybersecurity protocol/policy is upheld across the ranks of the organization. In addition, it goes a long way in creating a culture of inclusivity among employees.
Particularly, such a stakeholder team, working in tandem with the IT department, would be effective in addressing risks arising from shadow IT, which remains a huge cybersecurity threat. Meetings to review the state of cybersecurity in the company may be held quarterly in order to deeply examine patterns among and roles of employees in a way that the IT department may not.
The Role of the HR Department
Being the department that interfaces between the management team and the rest of the workforce, the HR department plays a critical role in cybersecurity, particularly in shaping the culture of IT security in the workplace.
Creating a threat-resistant workforce begins with the recruitment stage. Cybersecurity awareness training must be integrated into the onboarding process so that the newly employed can understand threat mitigation from the word go. Also, HR should be carried along in setting authentication and privileged access approval procedures. HR also plays a significant role in regulating BYOD policies and remote working.
In addition, former employees also carry potential risks, having had access to company data and sensitive information in the past. Promotions, demotions, exits, transfers, etc. come with potential risks of a security breach. Before the exit of any employee, from the company or from a position, a detailed audit must be carried out to ensure that the person is not inadvertently or intentionally taking any sensitive data with them or accessing any level of information that they shouldn’t. It is up to the HR and IT departments to work together to revoke any access to company data that a former employee might retain.
Cybersecurity is much more important than ever. Company heads need to step back and examine their security arrangements to determine if it is inclusive enough of the rest of the employees. Without matching zest for cybersecurity and recognizing threats across the workforce, your organization is definitely exposed to more risks than you think.