Educate and test is good, but doesn’t work always. So how ?
Every person who is an employee of an organisation, is duty-bound to protect and maintain the security of their company’s internal systems as if those systems and their data were their own personal data.
Apart from the fact that an employee signs an agreement to do so, there is also an element of self-interest, in doing so.
If your company’s systems are compromised by hackers, it might lead to variety of adverse consequences for your company, including loss of reputation, loss of business and perhaps even bankruptcy.
Therefore, by protecting internal systems, in a way, collectively, employees are protecting and securing their employment.
What can be done by an organisation’s cyber-security professionals to make it as easy as possible for employees to fulfill this role.
Truth be told, most cyber-security professionals are going to have a level of competency, otherwise, they would not be employed in those roles. So, most of them will be doing their best to help the organisations and employees be as secure as possible.
Employees, on the other hand, have a range of motivations and behaviours. Some employees are zealous to a fault in reporting every suspicious email or contact they receive, while others couldn’t care less.
Perhaps employees and companies need additional motivation. For employees, the motivation could be in the form of positive and negative consequences. Positive motivation could be rewards, monetary or otherwise, for consistently reporting suspicious emails and behaviours. Negative consequences could revolve around policies, where an employee is granted some kind of amnesty for reporting an action that was done in error ( clicking on an attachment, link), as long as the action was in good faith and not intentional. The reasoning here is that it is better for a company to know that an employee has clicked on a malware laden attachment within minutes of that action happening, rather than finding out post facto, after the damage is done.
The terms of the amnesty will be specific to each organisation and the type of incident. However, the principle of the amnesty follows on from the principle that it is better for the company to know as soon as possible about a cyber breach and therefore protection of that employee is a smarter play, to guarantee that most employees will report all incidents, especially ones where they are involved.
On the other hand, those employees who couldn’t be bothered to report an incident where they themselves clicked on something they should not have, without verification or validation, should face consequences of their actions.
Similarly, even callous organisations, who couldn’t be bothered to protect their customers’ data, should also be punished severely.
Ultimately, the principle of trust, but verify needs to apply to organisations and their testing of their employees cyber-security responsible behaviour is concerned. Organisations should educate regularly, test frequently but also verify always, through some measure of data collection ( which most companies already do so).