As the CIO of a mid-market manufacturing company, I have opportunities to consider many cybersecurity solutions. There’s much attention focusing on which technologies are essential to protecting our companies and data from cyber-attacks. There is no question that security technologies and services are needed. But it’s also important to take into account the vital role that people—employees, contractors, even visitors—play in preventing cyber threats.
Here’s an analogy: You could buy the most sophisticated home alarm system. But if someone opens the front door and lets a robber in — either because they know the person or it doesn’t occur to them that this individual might have bad intentions — then the result is you get robbed. And that expensive alarm system didn’t help at all.
In the case of a business, the equivalent could be an employee holding the door open after they’ve used their entry card and allowed a stranger to follow them into the building. In which case, the physical security technology was designed to prevent someone from just walking in. However, the human element enabled them to gain entry. If the bad guys do a little bit of research, they could potentially target individuals in the company. Then, they can gain access by bypassing the technology altogether.
Learn How Hackers Operate
What can we do to mitigate such cyber threats? It starts with education and training. When I took on the task of implementing a cybersecurity program for my company, I realized I did not know enough about how the bad guys operate to fully understand the risks, or how to mitigate them. I knew about anti-virus and anti-malware software, and firewalls. But that was about the extent of my knowledge. It would be easy for me to assume that if I had those technologies in place, I was doing all that could be expected of me.
On the other extreme, I have also heard about companies that were so afraid of being compromised that they locked down every system—from email to internet access to personal devices—to such an extent that it was nearly impossible for anyone to get work done or collaborate outside the company. That didn’t seem like a workable solution.
I knew I needed training to understand how cyber criminals think, what tools and techniques they use to compromise our systems, and what strategies are available to counter their attacks. I did some research and discovered a certification called Certified Ethical Hacker (CEH) offered by EC-Council. The course teaches “the latest commercial-grade hacking tools, techniques, and methodologies” used by both hackers and information security professionals.
The idea was that if I could learn how the hackers operate, then I would better understand how our systems and data might be at risk—and what to do about it. I enrolled in the course, studied extensively, and passed the test. It was very technical and also very challenging. I highly recommend it for anyone whose primary job is cybersecurity, though it probably is not necessary for management-level employees to delve into that level of detail.
Beware Social Engineering
Educating about cyber threats shouldn’t stop at the IT department or company leaders. It is important for every person in the company to have training that prepares them to be the first line of defense.
Businesses can even tailor the type and level of training to different roles and departments. For instance, it’s critical that employees with access to accounting, payroll, and HR data have a strong understanding of the ways that criminals might try to trick them into granting access to that data. It’s not uncommon for social engineers (hackers who are adept at manipulating people to get inside) to peruse LinkedIn profiles, looking for job titles that might indicate an employee’s access to valuable data. They then devise strategies for emailing, calling, or even personally “running into” those employees to gain their trust. Another technique is to send phishing emails, designed to get employees to click on a link that takes them to a site where they enter their credentials or other personal information.
Preparedness is the Best Defense
The best way to combat these tactics is to be aware that they will happen, to know how to watch for them, and to know what to do when they occur. Most employees who represent that front-line defense don’t need the level of technical detail offered by the CEH course. But they do need regular, effective training.
In the next post, I will talk about some of the different training methods and systems that are available, especially those which provide great value for small and mid-sized companies.