The world of cyber security is changing rapidly with new threats and remedies coming up every day. Employees are not able to keep up with these technological advancements every day; especially those without a technology background and not working within the information technology (IT) departments in their organizations. It is therefore paramount for organizations to focus their cyber security prevention strategies on awareness creation and employees education.
According to the 2020 Global Cyber Security Index, cybercrimes losses were predicted to jump to USD 6 trillion in 2021 from 1 trillion USD in 2020. This was attributed to society’s transition to doing business online due to restrictions on movement as a result of the Covid-19 pandemic. In Kenya, there were more than 150 million cyber threats detected by the National Kenya Computer Incidence Response Team for period between July to September 2021.
Despite the escalating risk from cyber security threats, most organizations lack detailed and intentional awareness creation initiatives among their employees on this subject matter. This creates room for undetected attacks on organizations through employee minor mistakes; that often result to huge losses of data, as well as time wastage and financial loss while pursuing data recovery. To avert these eventualities, organizations should build the capacity of their employees to be aware of how they can be exposed to cyber security attacks and specific measures they can take to prevent them.
As more organizations move online and adopt digital operations post the 2020 Covid-19 pandemic, cyber security prevention measures are now being implemented more proactively; such as employing the services of IT consultants in securing organizational network infrastructure. However, not much is done at the employee level for example in educating on how to install firewalls on their personal computers to monitor network traffic and why this is important.
According to Kaspersky, in a study with over 5,000 organizations, 52% of the organizations believed that exposure to cyber security threats came from a lack of awareness or ignorance of their employees towards prevention of cyber threats. Smaller organizations of less than 1000 employees seemed to agree more that their employees exposed them to cyber threats; hence creating a need for employee education regardless of the business size.
A clear example of a threat that could have been prevented if employees were more aware in the WannaCry ransomware that occurred in 2017. It attacked computers that were running Windows Operating system and had not been updated with a security patch released by Microsoft 2 months before the actual attack. This affected roughly 200,000 organizations.
Mitigating Cyber Attacks At the Organizational Level
- As with all other risks, top management in organizations should take the lead in mitigating cyber security risks by training their employees on how to handle and operate both company and personal IT hardware and software to prevent attacks. Management should set it as a priority and a requirement for their IT department or consultant to train the employees on how attacks can happen. For example, educating employees on what a password spraying attack is and why it would then be important for employees to avoid having one password for everything.
- These trainings and tests should be made frequent to keep up with the ever-evolving cyber security threats and prevention measures. Employees, especially those not in the IT field are not be able to keep up with the rapidly changing developments in the cyber world.
- Capacity building for employees should not only focus on prevention but also on remedies to be taken when an attack has happened. For example, employees should be taught what actions they should take when a Remote Code Execution (RCE) Attack has occurred.
- Organizational structure should be clear enough in terms of reporting lines when cyber attacks occur. Employees should know whom to report to when an attack has occurred.
- The IT policies set by the organization should encourage employees to report when cyber attacks occur. When organizations set policies that punish the people for cyber security attacks employees feel demoralized to report such cases and this could lead to more attacks with severe damages. This is more important in this era where employees are working from home away from the direct supervision and support of the IT department. The quicker an attack can be reported the faster its damage can be reduced.
- Lastly, corporate culture should treat employees with fairness and equality. Employees should feel valuable and wanted within the organization regardless of their level. Disgruntled employees are one of the leading causes for cyber threats. In 2012 an employee from an oil and gas company in North America reset the company’s network servers to factory settings essentially eliminating all company data after finding out that he was going to be fired. Management of organizations should ensure that employees are treated with fairness and equality even during termination so as not to harbor any feelings that might results in the employee acting in a negative manner.
Author: David Kageenu