Cyber security falls under the responsibility of everyone, not just information technology professionals. As with personal security, individuals must pay attention to their surroundings and their actions.
There are a number of areas that businesses and employees fail to pay attention to regarding cyber security. These are in no order of importance as all are critical.
Lack of training for staff
When we raise our children we make sure they know to look both ways before crossing the street, not to take candy from strangers, and never to get in a car with someone they don't know. To all of us, this is common sense as we received this same education ourselves.
With cyber security, the same principles apply. Don't open attachments from unknown sources. Don't go to websites that appear suspicious. Don't tell anyone your password (s).
Businesses must make sure they have education for all employees regarding these, and other, basic cyber security concepts. The training should occur at new hire orientation and it makes sense to have annual or semi-annual reviews.
Failure to limit / log access
Who has access to what data? What IT Administrator modified the directory structure? Who changed permissions? Do all employees have access to HR files? Does any unnecessary person have access to financial records? Are there logs showing who accessed what data?
Most of the answers to these questions will be "we don't know" and that's a problem to acknowledge and address. Companies need to utilize built in tools to log access, and, when necessary, purchase third party software for greater control and granularity. Not only can tracking access prevent a data breach, it enables organizations to find out what happened when data loss does occur.
Caring about corporate data
Most employees simply focus on their day to day job, they are not necessarily concerned with intellectual property at their company. Vast numbers of employees don't even know what data is critical to the success of their business.
With a myopic focus on what's in front of us, it's extremely difficult to protect that which truly matters to an organization. Employees understand financial and human resource records deserve protection, that's not enough.
Staff must also know about core data critical to the company so they can make sure and take proper action when dealing with that information and when dealing with others who have responsibility for protecting that data.
Understanding cyber threats
Phishing. Spoof. Worm. Trojan horse. Pharming. Hijack attack. All key terms in the cyber security world and, with few exceptions, most people do not know what these expressions mean.
Along with basic education, it makes sense for organizations to make sure staff knows what these attacks are and how to protect against them. There are a number of terms and threats that individuals are familiar with, it's the responsibility of businesses to help employees understand additional dangers. Common sense goes a long way, and with adding simple communication, businesses can ensure employees know what to look for and how to act when issues arise.
Spending money in the wrong areas, or not at all
Too often businesses focus on revenue generation opportunities and ROI when spending money. Companies must take a defensive posture as well. This doesn't mean only spending money on networking equipment and edge devices to protect their information assets, they must understand the extent of the threats and spend in numerous areas.
Firewalls, extranets, and intrusion detection systems are all well and good; however, they only protect companies from specific types of attacks . Businesses must take a holistic view of cyber security and invest as necessary. Cyber security is an investment and should be viewed as such through the budgeting process.
Everyone must take ownership for cyber security. In today's world with major data breaches occurring seemingly weekly, impacting millions of people, it's imperative to pay attention and share in the responsibility for data protection.
Through education, logging, understanding corporate data, knowledge of threats, and proper cyber security investments, companies will find greater security. When companies have data protection, investors, employees, and consumers receive peace of mind and clarity that they are as secure as possible.