People play the most important role in security, there is no doubt, but here are some ways to keep people informed and be a strong part of a company’s security plan.
There is one day every parent keeps an eye on and that is the day their son or daughter gets behind the wheel for the first time. He or she has the idea of once I get on the street, “I am going to be the only one there and everything is going to be fine.” What they don’t realize, however, is there are drivers out there that unintentionally make mistakes or others speeding and operating with reckless behavior showing malicious intent.
Along those lines, for a safe driving environment — and to step up the metaphor – or for a secure manufacturing automation environment, it becomes vital to educate people so they understand where the threats come from.
The most important element is awareness and education and ensuring that education is recurring and constant. It must come down from the absolute top levels of management and filter down through operations leadership into human resources and eventually down to the workers themselves.
That only makes sense because an EY (formerly Ernst & Young) report that came out in November found attacks carried out by unsophisticated, individual attackers successfully exploited vulnerabilities organizations were aware of, but did not ward off. The report also showed careless or unaware employees are seen as the most significant increasing vulnerability to organizations’ security, with 60 percent of respondents saying it was a problem, compared to 55 percent the previous year.
Having that recurrent, consistent reminder of general awareness, understanding what password polices mean, understanding what BYOD (bring your own device) policies mean, understanding how appropriate use methodology works and why it is there, what is the difference between a phishing attack and a standard email attack. We want to make sure they have the education, the awareness, the wherewithal to understand and detect when, where and what they should be looking for in these types of situations and how they can remain protected along with the company.
Industrial cybersecurity awareness is increasing and the connection that needs to be made where an operator may have in the past focused on physical equipment failure now needs to be aware a cyber incident could cause the same problem.
“Getting people to realize the world is a different place and you do play a role; that is why we have policies and procedures,” said Joshua Carlson, Subject Matter Expert and Technical Sales Leader for Cybersecurity at Schneider Electric. “It is all about driving the idea of a cybersecurity culture and getting everyone on the same page to realize what is my role and my part of the big scheme in helping the company be successful. You don’t want to be responsible for the exposure or the increase in risk or the delivery of malicious software or the inadvertent exposure of customer data.”
Even to this day, users think of security purely as a technology issue. “Let’s just buy this device and our worries are gone,” they will say. That is where the idea of people, process and technology truly comes into play. That is also where fixing the weakest link in that chain, people, is imperative. With the proper education and training, people can become the strongest asset.
The following are tips and best practices to help workers become more aware of the importance of security and how they need to participate:
- Executive sponsorship leading the charge
- Create a cybersecurity culture
- Understand baseline measurement of good security practices
- Understand policies and procedures
- Continuous amount of situational awareness
- Understand how to measure success
- Training, training and more training
- Making everyone accountable
- Be aware of social engineering
- Don’t open emails asking you to enter a website and enter your password
- Only use your password where there is a direct link
- Don’t open files from people you don’t know
- Don’t give your password out to anyone
- Use common sense
Let’s make cybersecurity awareness part of everyone’s job and company culture. Watch out for more blogs in the near future about this evolving and ever critical subject.