By now, many companies are having their departments wade through a litany of strategy meetings to determine next year’s budget. CIOs and their directors will certainly be in the mix, particularly as it relates to cyber-security initiatives. While it’s important to look at what systems are in place and what state-of-the-art technology should be employed to mission-critical networks, one cost-effective element for thwarting the next threat is often overlooked: training.
Here’s the cold, hard reality. No new-fangled anti-virus, anti-spam or firewall system will prevent a sophisticated hacker from infiltrating a company’s database if employees aren’t practicing tried-and-true safe computer practices. Organizations are usually hacked from the inadvertent, nonmalicious but nonetheless unsafe activities of its employees. Here are just a few:
1. Employees with a public Facebook account that discloses their complete name and date of birth could provide a cyber predator the tools to potentially obtain a Social Security number among other essential information to successfully infiltrate your business and personal accounts.
2. Shadow Wi-Fi accounts that show up in public places, such as a conference hall or hotel, can prey on mobile devices that are set to connect to the nearest open network. They resemble a reputable access point but instead target business travelers so they will unintentionally expose all the company information on their iPhone, iPad or laptop.
3. Passwords to multiple accounts are often tough to remember so many individuals write them down on a notebook or unencrypted file on their computer or phone. While this is understandable, the result essentially provides an open invitation to cyber thieves.
4. An employee receives an email from someone he or she doesn’t know, clicks on the link as directed and instantly malware permeates the company’s network. It wasn’t a malicious act by the teammate.
This last point brings up an important element that should be part of any corporate cyber-security training program: Every organization is vulnerable to an attack. Some managers will think their firm is too small for a virtual thief to consider attacking. The opposite is quite true. Smaller companies are often easier targets. An organized criminal group based overseas can go after millions of small businesses at the click of a mouse and rack up huge payoffs with scarcely batting an eye.
Companies need to emphasize to members of their team the importance of safe computer practices that go well beyond appropriate websites to surf during office hours. Cyber-security activities of employees should be given the same care and concern as showing them how to safely leave the office building after hours.
Now all this doesn’t mean that organizations should ignore their network architecture, security patches, disaster-recovery policies and a threat-management system. All these elements remain crucial to an effective information assurance strategy. But failure to adopt training programs that effectively remind and reward employees for prudent computer practices will leave a gaping hole in a company's ability to thwart the next threat.