With the dematerialisation of processes, the adoption of good cyber security practices is essential.
According to the 2021 Fraud and Cybercrime Barometer , 2 out of 3 companies have suffered at least one fraud attempt in the last year, and 1 out of 5 companies has suffered more than 5 attacks. Moreover, one out of two companies have noticed an increase in these attacks following the generalization of teleworking. In a context of dematerialization of processes and documents, growth in the volume of data and upheaval in work organization, the adoption of goodcybersecuritypractices is essential.
It is not only company management that can take action: employees also have a role to play in preventingsecurityrisks. So what are the best practices to put in place? This is what we will be looking at in our article.
Cybersecurity: why is it important to involve employees?
Anticipating risks and putting the right tools in place is the first line of defence in cyber security. However, we tend to forget the essential role that each employee plays in protecting the company from the risks of cyberattack. It is true that 90% of successful cyber attacks involve human error and that workstations are the primary source of security breaches. However, a cybersecurity policy that involves employees makes it possible to combat these flaws, prevent risks and strengthen the company's arsenal of protection against hackers. Thus, employees who are sufficiently aware of and informed about IT security risks are the main bulwarks against cyberattacks. To ensure that employees understand the importance of cybersecurity, particularly in view of the risks that an attack would pose to the company (financial risks, reputational risks, material risks, etc.), it is essential to integrate security and data protection into the company's culture. As such, cyber risk must be an integral part of the company's risk culture and all employees must understand the issues. The full involvement of employees is indeed an effective way to raise awareness.
But there is no question of relying solely on theory, with the introduction of a non-binding IT charter, for example. The cybersecurity policy supported by the employees must be anchored in reality, and be based on concrete examples so that the reality of the dangers to which the company is exposed is better understood. To achieve this, a whole range of good practices can be put in place.
Good practice 1: Secure the working environment
Data security must be at the heart of the company's cyber security policy. To this end, the Information Systems Security Department (ISSD) must give priority to the use of tools and equipment originating from within the company and having been secured beforehand. In this respect, it is important to remind employees that the use of tools, software or solutions external to the company (or not validated by it) is to be avoided, because of the risks it entails.
A VPN(Virtual Private Network) can be set up to secure all the company's data, including when employees are working remotely. To adapt to the new uses of hybrid work, the centralization of data on a private cloud could be envisaged. This tool will allow all employees to access their data and documents at any time, regardless of where they are.
Finally, the ISSD may also set up a risk management process to report security problems encountered by employees. This can be done by means of a specially dedicated email address, which is made known to all employees, or an internal chat group.
Good practice 2: Raise awareness and train employees
As employees are generally the first to be targeted by cyber attacks, it is important to make them aware of the risks and challenges of IT security. To do this, you can start by explaining to them the multiple consequences of a cyber attack: business interruption, damage to reputation, loss of customer confidence, financial losses, etc. All these consequences would have a direct impact on the activity of the employees!
Several avenues can be followed to raise awareness. In addition to drafting an IT charter, which should serve as a reference and be brought to the attention of all employees (including the most senior ones), the introduction of mandatory training courses can be an effective way of raising awareness among employees.
👉 The objective: to raise awareness of the risks that the company runs in terms of IT security and to highlight the good reflexes to adopt on a daily basis.
Finally, practical exercises can be set up to make cybersecurity issues a subject rooted in reality. For example, the ISSD can organise a fake phishing campaign to show employees how to identify fake email addresses and how to protect themselves from the risks that phishing poses to the company: data loss or leakage, identity theft, financial losses, etc.
Good practice 3: Organize cyber attack simulations
Theoretical training in cyber security provides a solid basis, but it is not enough. To fully involve employees and make them aware of the IT risks, it can be interesting to organize simulations of cyber attacks (or penetration tests), during which the company will have to face the consequences of a false attack. This type of immersion not only allows employees to understand, from a practical point of view, the importance of protecting themselves against cyber risks, but also to learn how to react when a real attack occurs.
Good practice 4: Implement a policy to combat shadow IT
Did you know that 68% of malware comes from the Cloud and Shadow IT?
Shadow IT is a large-scale phenomenon that refers to a set of IT uses that are not regulated and not controlled by the company. For example, it could be an employee who uses software on his or her workstation that has not been approved by the ISSD. Multiplied by all the company's employees, this practice can quickly prove dangerous.
Hence the importance of taking measures against Shadow IT, in particular by reinforcing the training and awareness of employees in IT usage, but also by establishing governance rules and regularly reminding them of the importance of only using solutions validated by the information systems management. The main thing is not to ignore the problem, but to take it into account in the policy to combat IT risks.
Things to remember
📌 There are several ways to fight a cyber attack.
📌 Employee training is one of the ways to combat a potential cyber attack.
📌 By implementing good practices, it is possible to reduce the risk of becoming a victim of a computer attack.