Start with the basic best practices, and then focus on the tricky task of motivating employees to comply with cyber measures
When an organization suffers a cyberattack that is publicized in the mass media, reputational damage has to be factored-in, on top of the direct financial costs involved in regulatory fines, expenses for containment, disaster recovery and forensic investigations.
Additionally, other losses from a cyberattack can arise from how long the downtime was; the opportunity costs of operational disruptions; whether corporate secrets were exfiltrated, and in the worst case, the amount of ransom actually paid unsuccessfully to recover corporate data encrypted by attackers.
According to Security Evangelist Oleg Gorobets, Kaspersky, “attackers are never idle: they are like wolves that must be constantly active to catch their prey off-guard. So, companies need to be ever more alert and agile. They must be sure they have the right solutions and processes to allow for effective threat discovery and containment, as well as swift recovery.”
Tips for strengthening cyber resilience
The firm’s experts offer the following advice to remind organizations of the best practices for staying secure.
- EDR and XDR software: To protect against a wide range of cyber threats, use solutions that provide real-time protection, threat visibility, and the investigation and response capabilities of endpoint detection and response and extended detection and response for organizations of any size and industry.
- External expertise: If your organization does not have a dedicated IT security function, consider subscribing to a managed cybersecurity service.
- Keep device operating systems updated: While making sure your endpoints are protected, that must also include keeping device software and firmware updated to prevent attackers from infiltrating the network by exploiting newly-discovered vulnerabilities. Install patches for new vulnerabilities as soon as possible.
- Use immutable backups: Set up offline backups that intruders cannot tamper with. Make sure they can be quickly accessed in an emergency.
- Use managed cybersecurity services: For very small or cost-conscious businesses that do not have any staff dedicated to cybersecurity, engage certified external cybersecurity professionals on a retainer basis. For firms that already have a dedicated IT team that is too overloaded with routine non-cybersecurity work, it may still be a good idea to supplement cybersecurity vigilance through third-party consultants.
- Train employees for cyber awareness: Transform the workforce into an extra layer of protection against human-related cyberattacks by sending them for regular, continual training about cyber awareness, safe internet behavior and phishing safeguards, within and even outside of the corporate network.
- Toughen IT policies: Implement strict IT and cyber safe policies, and ensure these are automatically enforced by the system. Use software that incorporates application, web and device controls that limit the use of unsolicited apps, websites and peripherals. This can significantly reduce the risk of infection, even in cases where employees use shadow IT or make mistakes due to a lack of cyber safe habits.
Also, when it comes to employee cyber training, it is common to find staff taking shortcuts or even using shadow IT methods to make work life more convenient. That is why Tenable analysts offer six tips to help organizations mend this ever-present risk:
- Be employee-centric: Spend time with each department and learn how they work; identify their pain points and motivations about any security practices and policies they find cumbersome, and help to address their work needs while sending them for the most suitable cybersecurity courses and workshops.
- Make it seamless: Cybersecurity tools and processes need to be engaging and easy to use: otherwise, employees will avoid them or find ways around the rules that may even invite more risk.
- Make it a communal effort, not just an IT task: Ask for help from the human resources department, the internal communications or marketing teams to find new ways to engage employees. Security experts may not always be experts in organizing training or motivating staff. Joining forces internally (or with external experts) could lead to fresh ideas on how to educate employees and implement a cyber smart culture.
- Explain all cybersecurity rules: Explain the “why” behind major measures instead of just telling employees what they need to do. Help them understand why it matters not just to them, but to the entire organization. Show them how they can be part of the solution, not part of the problem.
- Be available: Avoid being in a ivory tower: ensure the IT team is approachable and proactive in engaging staff for cybersecurity discussions whenever conducive. Keep teams up to date on new cybersecurity efforts and their associated outcomes. Schedule regular “ask us anything” sessions so that teams can address any misinformation and welcome continuous learning about cybersecurity hassles.
- Make it worth their while: Understand what motivates employees and then build programs around that. For example, do employees respond primarily to financial incentives? Or do they prefer public recognition for their efforts? Does motivation vary by team or department? Find out what works, what does not work, and how to get everyone on the same page using intangible rewards/recognition, corporate goodwill; supplementary incentives and other mechanisms that help staff to willingly cooperate and share knowledge about staying cyber safe.