Earlier this month we held our quarterly Cybercrime Tactics and Techniques Q2 2017 webinar. This event gave thousands of security practitioners and leaders a chance to learn about the latest analysis of threats Malwarebytes Labs has seen around the globe. In case you missed it, you can watch an on-demand replay of that event here.
There’s one thing I’ve noted with all of these events we host—our security community is highly engaged and asks the best questions! This is great because it allows us to drill down even deeper on different topics. Following this recent Cybercrime webinar, one of the attendees brought up a topic that we often hear is a pain point for many businesses.
“What corporate culture practices can companies use to get improved resilience out of employee behavior?”
With so many evolving threats from cybercriminals who employ a variety of tactics and techniques, there’s one element that many security pros consider to be the weak link in any security practice: humans. The challenge is to minimize the impact your users have on your well-laid plans to secure them. To help answer this question and inspire anyone else who is facing this same concern, I thought I’d share four key steps you can take within your business to help gain trust with your employees while accomplishing your mission.
1. Company expectationsYour business needs to ensure it has spelled out (clearly) what is expected from your employees. Not just for lunch breaks and travel expenses, but for the proper and safe use of company-provided laptops and desktops and for connecting personally-owned devices to your company network. That also includes best practices to follow for home use and while traveling. Having an IT security policy created and communicated to employees is a critical first step. This way nobody can claim "they didn't know". This is also a great place to introduce or reinforce your user security awareness training.
2. Get the right technologySpeaking of awareness training, simply saying "don't click on stuff" as a message to employees simply isn't enough. Back them up with technologies that can prevent phishing attempts, block spam email, block connections or re-direction to known malicious websites, IP addresses, and servers. That way, for the number of links that are clicked and attachments that are opened—this common threat vector can be proactively blocked.
3. Build trust with employeesIn order to build trust and teamwork with your company’s staff, you need to be fair and up front with them. Don't try to trick your employees with unannounced security tests (e.g., phishing emails, etc.). Instead, let them know ahead of time that you'll be testing them to measure their diligence. Don’t tell them when, but give them fair warning. This is when you can also take the opportunity to promote your published security training and best practices documentation. (See #1)