Every Employee Is a Cybersecurity Employee
Once, during new hire training, a portion of the training included a representative from each department to introduce their department, its function and to answer any questions from new employees.
In one of these trainings, a salesman talked about his team and then asked the new employees “what department do you work in?” Hands went up with answers of “finance,” “human resources,” “customer support,” “engineering” among others. Once everyone was done, he took a dramatic pause and loudly stated, “No! you all work in sales!” His logic was that every employee of the company worked for sales for each of them helped to represent and “sell” the company to others.
Today, while that still rings true, there is an additional job that everyone in the organization has – being part of the cyber defense for the organization. That shared responsibility is key in making sure that an organization, of any size, is protected against threats.
In 2004, to help promote awareness of the threats, the National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance launched National Cyber Security Awareness Month(NCSAM).
October is NCSAM and the theme for 2019 is “Own IT. Secure IT. Protect IT.”, which puts the focus of the shared responsibility on the individual. “Own IT” focuses on the end-user owning their own presence online making them responsible for privacy and application usage. “Secure IT” is about reminding end users to ensure that all transactions are secure and that they are aware of their surroundings online. Finally, “Protect IT” reminds users and enterprises to keep up with the latest security software and patches for browsers, devices and operating systems, as well as to make sure that data that is collected (data at rest) is protected.
Security and IT organizations should focus their efforts around setting up awareness and education programs for both their end users as well as system administrators and security teams. End users should be educated on how to spot, avoid and report phishing emails to avoid exposing the organization to malware. System administrators should be reminded to keep their applications and servers up to date with patches and staying abreast of the latest Common Vulnerabilities and Exposures (CVE) that are relevant for their systems. Users with remote access permissions or using their own devices (BYOT) need to be reminded how to use these safely to access organization resources. Finally, all employees need to understand the exposure created by the use of social media, especially for the risk posed by spearphishing.
Cybersecurity awareness should not be limited to the month of October. The awareness activities and programs shouldn’t be limited to one month. Organizations are under a constant threat coming from all every angle. Keeping an organization secure is full time job and just like the sales guy who stated that everyone is in sales… every employee is part of the cyber defense for an organization.