Hiring – IT is the most obvious department that will benefit by looking for cybersecurity skills when hiring, but IT teams are usually subject to decisions made by senior management. Therefore, leaders in any department or function should be hired only after examining their cybersecurity track record; specifically look for those who have implemented or improved cybersecurity measures in their previous roles. They need not be experts, but should be known for seeking out and listening to cybersecurity experts. This is the most important step in creating a cybersecurity culture, because leaders set the tone for all their subordinates, and should be followed in both internal and external recruitment. Emphasising cybersecurity when hiring also sends a clear signal throughout the organisation that combating cyberthreats is a priority
Training – A cybersecurity training programme should be formulated to ensure that all employees, irrespective of their position in the hierarchy, are made aware of how cyberthreats work, how threat actors may target them, the organisation’s defences against cyberthreats, cybersecurity best practices that should always be followed, the individual’s responsibility with regard to cybersecurity, and the escalation matrix in the event they notice a cyberthreat or vulnerability
Training should cover relevant laws, such as data privacy regulations, and the consequences if such laws are violated; organisations with international operations should include legislation in their overseas market as part of the training
Responsible use of social media is another area that organisations should emphasise in training, as employees are often not aware that their use of social sites and apps can risk their personal safety and their employer’s cybersecurity
Training should be customised to suit the responsibilities and access privileges of employees at different hierarchy levels e.g., leaders should be made aware of cyberthreats that specifically target the C-suite
Training should not be a one-time event. Refresher courses should be provided at periodic intervals
Procurement – Cybersecurity should be made part of the selection criteria when issuing RFPs/tenders for hardware and software. The vendor’s track record in providing security patches should be ascertained and the duration of support (lifetime support is preferred) for the product should be verified before a purchase order is issued
Scrappage – Hardware and software that have reached end-of-support should not be used. The support status of all IT assets should be tracked and obsolete products should be retired. Hardware that is sold to scrap merchants should be thoroughly sanitised before being discarded to remove any confidential information that might have been stored in them
Design – Cybersecurity by design should be a guiding principle when designing administrative and operational processes. The processes should be designed to
Reduce the attack surface
Avoid identified risks
Have cybersecurity as a default rather than an additional layer
Give priority to cybersecurity issues
Partnerships – All organisations partner with other organisations for the provision of various services, and cyberattacks may originate in the partner organisation. Cybersecuring the supply chain is, therefore, an essential part of organisational cybersecurity; choose to partner with vendors who prioritise cybersecurity as much as you do
Businesses often create a cybersecurity policy and include many of these measures in the policy. While having a cybersecurity policy is important, it does not by itself result in a culture of cybersecurity as the policy may exist only on paper. Culture is what is practised, not what is preached, so ensure that you judge your organisation’s cybersecurity culture by the extent to which employees automatically follow the above measures.
We have discussed cyberattacks, such as phishing, that can be launched without a malware component but they often include malware as a payload at later stages of the attack when the attacker tries to infiltrate your organisation. K7 Security’s enterprise endpoint and network security solutions provide comprehensive defences against the latest malware and malicious websites. Contact us for more information on how we can help you secure your operations.