Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyone
Cybersecurity works best when people know that their corporate information security team will be sympathetic to mistakes. That’s because, if someone suspects they may have clicked a phishing link or fallen victim to a cyber attack, they’re much more likely to be open about it – and that helps the whole organisation stay secure against malicious hackers.
Organisations face potential cyber threats on a daily basis as criminals attempt to breach networks using various methods including phishing in an effort to gain usernames and passwords, or even to lay the foundations for a malware or ransomware attack.
The nature of cyber defence means that an attacker only needs to be successful once in order to find an opening. Often, that opening can come in the form of an employee unintentionally falling victim to a phishing email, an incident which if left undetected and unchecked, could have significant consequences for the organisation as a whole.
Organisations should therefore be understanding with employees and encourage them to contact their information security team if they suspect they may have fallen victim to a phishing attack or any other potentially malicious activity.
“The last thing I think we want to do is – whether people are at home or in the office – is is to create a sort of culture where you drive incidents or mistakes underground,” David Emm, principal security researcher at Kaspersky told ZDNet Security Update.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
“Because actually as an IT department, you want to know if somebody clicked a link and they shouldn’t, you want them to ring you up and say ‘I think I’ve done something silly, I didn’t realize I clicked on a link’ – great okay, we can manage that now we know about it”.
There’s a risk that if people are worried they’ll be punished for making a cybersecurity mistake, they won’t come forward to talk about it in the first place – and that’s only going to cause more serious issues, especially if cyber criminals have managed to infiltrate the network.
“If people don’t want to tell you, because they think they’re going to get into serious trouble, it just goes underground and you have no visibility of that,” said Emm.
And if organisations don’t have any indication that there could be malicious activity within their network, they can’t look for it, meaning a malicious hacker could be inside the network for a long time, laying the groundwork for a significant cyber attack.
So making sure employees feel comfortable coming forward about potential incidents, and that the information security team is going to be sympathetic – rather than punishing them – is key to helping the whole organisation stay safe from cyber attacks.
“Trying to encourage a feeling whereby people feel enabled or empowered to say things is really important, because that way, if you have visibility into it, you can manage it,” said Emm.
MORE ON CYBERSECURITY
