Cyber attacks are a growing organizational threat – it seems that every week, we learn of a new data breach. While the tendency is to think of cyber threats as outside events and therefor the purview of the IT department, increasingly, the threat is coming from “inside the house.” In a recent study on the retail industry and cyber crime, Deloitte Insights reports that, “The many high-profile breaches in recent years have shown business leaders that efforts to prevent, detect, respond to and recover from cyber incidents require the collective wisdom and authority of executives across a range of functions.”
This is particularly true since many of the newer attacks specifically target individuals who hold privileged information in organizations – “such as chief financial officers, heads of HR and other senior leadership and boards of directors across enterprises.”
Organizations need to broaden the scope of cyber security prevention and risk management responsibilities to include HR and other disciplines. And security experts agree: training employees to mitigate risk is important.
In CIO magazine, Jennifer Lonoff Schiff discusses the 6 biggest security risks that companies face and suggests ways to address those risks. She queried dozens of security and IT experts to determine the six most likely sources, or causes, of security breaches. Here are the top causes – her article also addresses what businesses can, and should, do to protect against them.
1. Disgruntled Employees
2. Careless or Uninformed Employees
3. Mobile Devices (BYOD)
4. Cloud Applications
5. Unpatched or Unpatchable Devices
6. Third-party Service Providers
In Security Magazine, Steven Chabinsky suggests the need to apply risk-based approaches to reducing the insider cyber threat, and that a program must be multi-disciplinary in approach, including active participation from a company’s security and IT department, as well as human resources and other senior managers.
“Organizations should consider creating an insider cyber threat program, led by a senior manager. This program would ensure that policies, resources and oversight are in place to assess and implement company controls that specifically deter, detect and mitigate the risk from employees, contractors and business partners.”
He offers a range of suggestions, from pre-employment background checks to increased monitoring and audits.
Increasingly, risk management specialists suggest that savvy employers should provide cyber security training for employees. Travelers suggests that, “New hire training and regularly scheduled refresher training courses should be established in order to instill the data security culture of your organization.” They offer a list of topics that a curricula should address. See our prior post: Thwart cyber security threats through employee training.
Here are some other Business Cyber Security Tools
StaySafeOnline: Keep My Business Safe
OnGuardOnline: Small Business – This includes may resources to help train employees. Also see this excellent section on phishing scams