Earlier this month we held our quarterly Cybercrime Tactics and Techniques Q2 2017 webinar. This event gave thousands of security practitioners and leaders a chance to learn about the latest analysis of threats Malwarebytes Labs has seen around the globe. In case you missed it, you can watch an on-demand replay of that event here.
There’s one thing I’ve noted with all of these events we host—our security community is highly engaged and asks the best questions! This is great because it allows us to drill down even deeper on different topics. Following this recent Cybercrime webinar, one of the attendees brought up a topic that we often hear is a pain point for many businesses.
“What corporate culture practices can companies use to get improved resilience out of employee behavior?”
With so many evolving threats from cybercriminals who employ a variety of tactics and techniques, there’s one element that many security pros consider to be the weak link in any security practice: humans. The challenge is to minimize the impact your users have on your well-laid plans to secure them. To help answer this question and inspire anyone else who is facing this same concern, I thought I’d share four key steps you can take within your business to help gain trust with your employees while accomplishing your mission.
1. Company expectations
Your business needs to ensure it has spelled out (clearly) what is expected from your employees. Not just for lunch breaks and travel expenses, but for the proper and safe use of company-provided laptops and desktops and for connecting personally-owned devices to your company network. That also includes best practices to follow for home use and while traveling. Having an IT security policy created and communicated to employees is a critical first step. This way nobody can claim “they didn’t know”. This is also a great place to introduce or reinforce your user security awareness training.
2. Get the right technology
Speaking of awareness training, simply saying “don’t click on stuff” as a message to employees simply isn’t enough. Back them up with technologies that can prevent phishing attempts, block spam email, block connections or re-direction to known malicious websites, IP addresses, and servers. That way, for the number of links that are clicked and attachments that are opened—this common threat vector can be proactively blocked.
3. Build trust with employees
In order to build trust and teamwork with your company’s staff, you need to be fair and up front with them. Don’t try to trick your employees with unannounced security tests (e.g., phishing emails, etc.). Instead, let them know ahead of time that you’ll be testing them to measure their diligence. Don’t tell them when, but give them fair warning. This is when you can also take the opportunity to promote your published security training and best practices documentation. (See #1)
4. Report suspicious behavior
Another key element in fostering trust and open communication with your employees is by enabling them to easily report suspicious behavior. Publish and socialize an email address that employees can forward any suspicious emails or phishing attempts to, along with URLs for sites they’re concerned about. Not only will they feel trusted and empowered to help protect your company (read: employee loyalty), but your security team gains an army of additional eyes and ears to stop potential attacks sooner. If you have a dedicated SOC, consider publishing an employee telephone hotline number that they can call if they suspect a security threat to your business, regardless if it’s physical or digital.
In keeping your business secure, it is critical that you educate your employees. Luckily, this doesn’t have to be a tedious process. Hopefully, the 4 steps above have simplified that for you. Following that, make sure you have the right security products in place with multiple layers of technologies that provide multi-vector protection, like Malwarebytes Endpoint Protection. Also, I encourage you to join your peers and check out our next Cybercrime Tactics and Techniques webinar near the end of October. Just remember to bring your questions.