Yogi SchulzWhen breaking through an organization’s security defences, employees who create vulnerabilities are a cybercriminal’s best friend.

While technical security safeguards are essential, employees continue to be the weakest link when it comes to protecting corporate information from cybercriminals of various shapes, sizes and motivations.

Cybercriminals regularly convince inattentive employees, through a phishing attack, to engage in one of the following security-compromising actions:

  • Disable or ignore company security measures such as anti-virus software and software firewalls.
  • Click on malicious links in phishing emails from obviously dangerous domains.
  • Open email attachments containing macros that launch malicious code.
  • Download files from dubious sources that install malware on laptops, tablets and smartphones.
  • Hand over valuable credentials, typically usernames and passwords, to crucial systems or valuable services in response to seemingly credible requests that are fakes.
  • Make wire transfers to fraudulent bank accounts in the mistaken belief they are following directions from their superiors.

Organizations need to wake up their employees to be more aware of the risks and vigilant in protecting data and the computing infrastructure. If you think I’m overstating the dangers of phishing, consider this Microsoft discovery.

Here’s an inexpensive security awareness program focused on employees:

Implement a computing use policy

Organizations should:

  • Develop an acceptable use policy for computers and the Internet.
  • Ensure the policy includes a prohibition on sharing credentials.
  • Have every employee and contractor review and sign the policy.
  • Communicate that violations of the policy will be noted in every employee’s personnel file and will be a factor in performance evaluations, calculating bonuses, promotion considerations and possible grounds for terminations.

Hold security awareness briefings

Organizations should:

  • Develop a security awareness briefing.
  • Have every employee and contractor attend the briefing annually.
  • Illustrate what security risks actually look like on email and the web.
  • Include a discussion of the learnings from recent internal and industry security incidents.
  • Include a review of the acceptable use policy.

Minimize system access

Organizations should:

  • Create employee and contractor access profiles that restrict access to just the functions they need.
  • Minimize the number of full-access user IDs.
  • Monitor system access and usage.
  • Expire network and application passwords regularly; every six months or more frequently is best.
  • Create only strong passwords.
  • Implement three-factor authentication for sensitive systems and remote access.
  • Insist that all smartphones use the passcode feature.
  • Remove access of departing employees and contractors quickly.

Include the supply chain

Most organizations now allow suppliers, distributors and customers limited access to some systems. Some headline-generating security breaches gained access through poor supplier security management practices.

More advice on running your business

Organizations should encourage or insist that their suppliers and distributors operate a security risk reduction program like the one described in this article.

Investigate security incidents

Organizations should:

  • Investigate security incidents thoroughly.
  • Use the findings from investigations to strengthen security management practices.
  • Be restrained in assigning blame to avoid encouraging coverups of security incidents.

Conduct annual audits

Organizations should conduct annual audits to assure management about how well the security awareness program is working to minimize the risk of data breaches. The audit scope should include a review of:

  • Violations of the acceptable use policy.
  • Appropriateness of system accesses.
  • Frequency of entry of incorrect passwords.
  • The comprehensiveness of security incident reports.
  • Participation in security awareness briefings.

If you want to engage a vendor to help you improve security awareness, read the Gartner report titled: Security Awareness Computer-Based Training Reviews and Ratings.

Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.

Yogi is a Troy Media Thought Leader. For interview requests, click here.


The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.

© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.