Despite the technologically advanced society we live in, most of what is commonly referred to as “cybercrime” is carried out by digital con men and is successful largely because their victims simply don’t know any better. Phishing is a perfect example. More and more, we see headlines every year about huge companies losing millions of dollars all because an employee handed over their password to someone they thought was an authority figure.
Although it’s not fun to think about, your staff – who are probably your company’s greatest asset – are also its greatest liability. This is why you must have security personnel who can keep your organization safe, especially Certified Information Systems Security Personnel (CISSP).
How Does Personnel Security Relate to Risk Management?
As mentioned, security personnel are an essential investment to ensure that your company isn’t exposed to unnecessary vulnerabilities. There are still other areas of your organization that you need to put resources into protecting. For example, your servers need to be secured. You should be using appropriate antivirus software. The list goes on and on.
None of that will matter, though, if your security personnel aren’t focusing on how your staff could be the biggest threat you face (whether intentionally or not).
The actual tasks your security personnel will need to be responsible for carrying out will depend on a lot of variables unique to your company. That being said, most organizations should have a team of security personnel who do some combination of the following:
Identify the company’s vulnerabilities;
Evaluate the level of risk that is “acceptable”;
Carry out regular assessments and provide results to designated personnel;
Improve company safeguards;
Train other staff members to ensure they’re not contributing to risk factors;
Leverage technology to improve defenses; and
Continuously monitor the efficacy of mitigation controls.
In the next section, we’re going to discuss candidate screening. While it’s definitely important to take this process seriously, we also want to point out that security personnel need to do more than just make sure you’re hiring sound candidates.
Just because an employee has been with your company for some length of time, that doesn’t guarantee they will make smart decisions where security is concerned. In fact, when you consider that the length of time someone has been with a company often correlates with their level of access, it’s even more important that your security personnel are making every effort to mitigate the potential risks posed by those employees.
What Do I Need to Know About Candidate Screening?
If you can hire the right people, your security personnel will have a much easier time keeping your company safe. This is much easier said than done, though, so in this section, we’re going to explain what you need to know about screening candidates in terms of your company’s security.
The most obvious piece of advice we can give is that your security personnel must conduct background checks on any person you’re considering for a role. Even if they’re just temps or otherwise won’t have any significant forms of access, you can’t risk hiring someone who may have a checkered past. It’s become all too common that companies incur attacks that come from the inside.
Still, with the help of your security personnel, you could create a questionnaire that addresses things like strong passwords, avoiding phishing scams, securing hardware, etc. Again, your security personnel can always teach your new people about a lot of this, but you’ll be saving yourself a lot of work by making sure you hire people who at least understand the basics.
The Importance of Hiring CISSPs
Most importantly, though, opt for personnel who are Certified Information Systems Security Professionals. Developed by the International Information Systems Security Certification Consortium or the (ISC)2, this globally-recognized designation is awarded only to those professionals who have technical skills and experience that prove a proficiency in implementing and managing IT security programs.
Put another way, CISSPs not only understand how to design a capable security network; they can manage the people you need to run it, too.
Since the designation’s inception in 1989, CISSPs have only grown in popularity. This isn’t just because of the growth of information technology, either. It has far more to do with the evolution and sophistication of the cyber threats every company must now worry about. If you don’t want the best possible defense, you need a CISSP on your team.
Everything we’ve covered so far can be optimized by a CISSP, but let’s continue and cover other important elements you must grasp.
Proper Training Is Essential
We just touched on this, but it’s important enough that we wanted to dedicate a section to it. One thing we’ve definitely tried to stress in this piece is that your staff is a potential entry point for cyber crimes, whether they mean to be or not.
That being the case, you absolutely must dedicate resources to training them so that they understand the nature of the threats and how they can prevent successful attacks. While you’ll need to consider the many challenges unique to your business and industry, the following will most likely be useful:
Training must be ongoing. If just one of your employees opens the wrong link from a malicious email sender, it could cost your company millions of dollars. We’ll talk about this more at the end, but it could also completely destroy your organization’s reputation and thus, future business. Don’t get lazy and fall into the trap of holding annual reviews that end with your employees signing a form with some version of: “I have read and understand the IT policies provided by my company’s security personnel.” You need your employees cognizant of the potential threats that exist every single day. Regular training will help with this.
Again, a CISSP will make a huge difference here. Their experience will ensure they can offer effective training, while their understanding of the industry means they’ll be able to stay on top of important trends.
Training also needs to involve testing of some sort. Again, signing some form isn’t good enough. It doesn’t actually mean they learned a thing. If you want to make employees take tests after training, that could be very effective. Some companies take it a step further, though, and actually send their staff phishing emails at random to see if they’ll fall for the trick. Other versions of this sort of testing are possible too. There are even third parties that will handle this kind of ongoing testing for you.
Everyone needs to go through ongoing training as well. For one thing, it’s always wise to lead by example. However, there’s also no reason to think that just because you’re higher up, you’ll somehow be exempt from being targeted for a cyber crime. In fact, if your position has boosted your public profile, it will be that much easier to launch a spear phishing attack at you.
Not everyone in your company needs to go through CISSP training. That’s unrealistic. However, CISSPs understand what ongoing training looks like because, as we already touched on, they’re constantly learning themselves.
Along the same lines, this training must stress how important each employee is in keeping the entire company safe. We’ve already talked about this so we won’t elaborate here, but suffice to say that everyone has a job to do in terms of security. Empower your staff so they can provide a solid defense. Also, make sure that no employee is ever derided for raising a red flag regarding cyber security. There may or may not be no such thing as a stupid question, but there is definitely no such thing as being too vigilant where the security of your company is concerned.
Cybercriminals are constantly evolving. Therefore, your training has to do the same. Your security personnel must stay abreast of what’s going on in this malicious world so they can transmit that information to the staff and adjust training in a timely fashion.
We’ve already covered this, but one more time: a CISSP is going to be your best consultant for effective training.
Statistics can be a powerful tool. Similar to the last point, security personnel should become accustomed to looking these up on a regular basis with the goal being to show employees just how common these attacks are. Your staff shouldn’t wonder whether or not your security will be threatened; rather, they should expect that it’s going to happen.
Make sure your employees understand that cybercrime doesn’t just happen through their computers. Plenty of scammers begin their plots by making a phone call first.
Invite feedback. While testing your employees will also make for a very valid critique, you may find all kinds of ways to improve your security policy and practices if you actively welcome the opinions of your employees.
To reiterate, how you apply this to training your staff will be different from how other companies decide to do it. Even the format your training takes will depend on the type of organization you run.
Employment Agreements and Policies
If you haven’t already, you need your employees to sign an agreement that attests to their understanding of your cyber security policies and willingness to follow them. For some of you, you’ll need to consider what regulations apply to your business.
For example, you may have to reference OSHA when putting together this form. Amongst other things, that’s because OSHA actually has its own definition of what constitutes an employee. This may seem like a no-brainer, but considering its significance, you don’t want to ignore what OSHA says on the matter.
As with the actual training your security personnel conducts with employees, your policy will be unique, but we can still recommend some basics that every one of these agreements should feature:
Internet Use – Just because your staff has access to the World Wide Web, that doesn’t mean they should be surfing or going on inappropriate sites. This must be pointed out in the agreement they sign.
Passwords – Training will need to emphasize the importance of using good, strong passwords. Fortunately, you can use software to make sure that these are the types of passwords your people are choosing. Unfortunately, they can still write that password down on a piece of paper they keep in an unsecure location or simply tell someone. This type of behavior must be prohibited.
Unauthorized Software – Using unauthorized software is just as bad as visiting unauthorized sites while on company computers. It’s an unnecessary risk that could have huge ramifications. Be sure to make clear in your policy that this will not be tolerated.
Email – While you may wish to be a little less restrictive with your email policy, be clear about the rules and put them in writing. Email is another really obvious entry point where criminals can find a vulnerability to attack.
Mobile Devices – If you’re going to issue mobile devices to your staff, then this will also need to be something that gets described in detail in your policy. Everything from what will be considered appropriate use to the steps they must take to secure their mobile devices will have to be spelled out.
This policy should be revisited regularly, just like your training. If your security personnel continue to monitor the world of cybercrime, they will most likely have suggestions for revisions throughout the year as well. Have those revisions done and then have your staff review and sign the new agreement immediately. This simple practice is yet another way you can reemphasize with your people that cyber security is something your company is going to take very seriously.
Security Personnel: It’s Not Just About Your Company
It’s important to understand that security personnel don’t matter just to your company; they also matter to any company that does business with you and/or your customers. There have been countless incidents where one organization was negatively affected because a supplier or business partner was victimized by a cyber criminal. There have been numerous stories this year alone about people getting their credit card information stolen because they entrusted it to a company that was attacked by a malicious party.
Furthermore, if someone is able to gain unauthorized access to your digital landscape, you’ll be impacted twice. First, there will be the actual attack and all the damage that comes with it. Second, you’re most likely going to lose business in the future too.
Decision makers across every industry are starting to think about this more. That’s why you’ll probably face questions about your security personnel before many decide whether or not they want to do business with you.
This should be one more reason to hire a CISSP. Aside from the very real advantages that their title represents, there’s also the simple fact that it carries global recognition. It’s not country or industry-specific. Any company concerned about your IT security will only have to do a simple Google search to be reassured you can be trusted.
Security personnel are some of the most important people you’ll ever employ. They also have a very difficult job. Set your company up for success by following the above advice and creating a truly effective security policy. To make things easier on yourself, retain the services of a CISSP who will be a permanent asset in your quest to maintain a strong digital defense.