From ERP software platforms to Facebook mobile applications, corporate data is being stored and shared across a greater volume and wider variety of touchpoints than ever before. The free flow of digital information is helping companies streamline collaboration and generate novel insights, but it carries considerable risks. As a result, IT departments are incorporating all kinds of cutting-edge tools into layered security frameworks. Yet amid this process, a number of managers have failed to cover perhaps the most important endpoint of all: the employee.
Today’s companies spend a great deal of time and money building a fortress around their network environments. Before corporate laptops log on for the first time, they are loaded up with antivirus and patch management tools before being greeted with additional authentication and application control mechanisms. But as CITEworld contributor and SANS Institute training director Lance Spitzner recently noted, these technical investments significantly outweigh the resources allocated toward employee education and governance.
“Technology is important, and we must continue to invest in and protect it,” Spitzner wrote. “However, eventually you hit a point of diminishing returns. We have to invest in securing the [human operating system] as well, or bad guys will continue to bypass all of our controls by simply compromising the human endpoint.”
As Spitzner suggested, employee security awareness has remained relatively stagnant over the past few decades, even as software engineers and network administrators have propelled cybersecurity innovations forward. As a result, some companies could be working with a “Human OS” comparable to Windows 95. To bring end users up to date, policies will take the place of patches.
One of the most intuitive and effective places to pilot this new process could be in the arena of social media. While Facebook and Twitter were once regarded as consumer diversions, these sites have now become increasingly popular channels for legitimate business communication. Unfortunately, risk management best practices often lag behind usage rates.
To remedy this situation, BusinessNewsDaily advised companies to begin by defining what exactly constitutes appropriate use. Just as clicking one bad link could ensnare a company computer in a global botnet, one ill-advised post can launch a firm into a public relations scandal. In either case, it falls to management to set the bar and hold employees accountable for their actions.
Finally, IT teams must also reserve the right to track comprehension and progress with appropriate monitoring tools. With the information provided, they will be better positioned to iron out any inconsistencies and update policies as business dictates.
How does your company set the tone for cybersecurity? How frequently are employee training protocols refreshed? Let us know in the comments section below!