Cybersecurity continues to be a growing concern for all types of organizations. From healthcare to IT and manufacturing, the negative impact of a data security breach can be extensive. To mitigate this risk, many organizations are implementing a security-first approach to their cybersecurity framework. This involves creating controls, monitoring external threats, and aligning to established frameworks.
As useful as these steps can be, there is one point of weakness that many security experts miss; employees. Indeed, company employees are often vulnerable to phishing attacks, where they may click on a wrong link and end up compromising company information. You can avert this risk by implementing a monitoring compliance framework. This compliance should extend to your company employees on a daily basis.
Employees can be a vulnerable point for cybersecurity
Phishing attacks are essentially targeted attacks to your organization via your employees. These cyber-attacks aim to solicit information from your workers through digital channels- such as embedded links in emails. If an employee clicks on the wrong link, they may be unknowingly redirected to a suspicious site, and thus enter sensitive company information in the process.
Phishing is a real risk that many different companies face. For example, the healthcare industry has suffered some of the biggest phishing attacks in recent years. UnityPoint Health had 1.4 million of its records compromised during a phishing attack, while Legacy Health and the Minnesota Dept. of Human Services had 30,000 and 21,000 records exposed (respectively).
In addition, a 2018 Verizon Data Breach Investigative Report showed that 4% of people unknowingly click on phishing campaigns. The same report revealed that 17% of data breaches were caused by employee errors.
The key takeaway is that employees can mistakenly (or sometimes intentionally) cause data breaches in your organization. Without a plan for monitoring continuous compliance, your data may be vulnerable at the most unsuspecting times.
The cost of noncompliance to your organization
Without a solid plan for monitoring compliance, your employees can unknowingly cost you lots of money. You may also receive hefty fines from various regulatory entities (in addition to the company data that stands to be compromised). For example, the Healthcare Insurance Portability and Accountability Act (HIPAA) can penalize you for violations that involve non-compliance and unauthorized employee access to data. Similarly, the Sarbanes-Oxley Act of 2002 (SOX) imposes both penalties and prison time for non-compliance.
In light of these penalties, it is important for your company to instill a culture of compliance among employees. If workers are not part of the day-to-day effort to ensure cybersecurity, even the strongest perimeter controls will only yield limited results. Your security-first approach should always be centered on working together with employees in order to control the data environment and ensure compliance.
How to monitor cybersecurity compliance with your employees?
The biggest challenge that companies face when ensuring employee compliance is spreading awareness. Indeed, mandatory training exercises are often boring and minimally productive for employees. You need a more creative and practical approach that will resonate with your workers and spark them into action.
Here are several steps you can take to increase cybersecurity awareness and compliance among your employees.
- Establish a personal connection between employees and cybersecurity
The first step is to make sure your workers see how data security can apply to their personal lives. Use examples of how they would struggle if their personal credit cards or social media profiles were hacked.
In addition, provide them with tips on how to prevent such occurrences from happening. This will enable your workers to relate the importance of cybersecurity to both their personal and company information.
- Require your employees to use strong passwords
Many people use the same password across multiple sites. Unfortunately, your employees may expose company data to risk if an outside website is hacked and the same password used to compromise your employees.
Make it mandatory for all workers to use a strong password that contains a mix of lower- and upper-case letters, special characters, and a minimum length.
- Focus on Multifactor authentication
Multifactor authentication involves using more than one medium to access your systems. In addition to a password/passphrase, your employees should also use a second step- such as an automatically generated code, a cell phone, or a biometric feature. This two-step process prevents hackers from gaining access by simply using mathematically guessed passwords.
- Have reporting procedures in place
If your employees come across any suspicious activity, they should be able to report it to your IT department as soon as possible. Establish a clear reporting framework to make it easier for phishing attempts to be located. For example, enlighten all employees about where to forward phishing emails and where to report suspicious pop-ups.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. You can learn more at ReciprocityLabs.com.