Top 3 Cybersecurity Measures: Skepticism, Awareness and Training
What will you think of when you hear the word “information leak due to unauthorized access“? Why data breach incidents does not decrease? One of the reasons is the sophistication of attacks. As a means of unauthorized access, an attacker tries to send malware by email to a targeted party, but at that time, it often becomes very convincing as the real thing, because of this, the targeted person opens the mail without any doubt, infects the device with malware and causes information leakage.
In this The Threat Report article, we will try to clear up people’s confusion about why data breach happens, written in plain English language of a common Joe and Jill.
With regards to safety, as internationalization progresses, crime also gains internationalization and diversification, crisis awareness rises not only in companies but also in homes, and it takes a reasonable cost to acquire safety, such as the introduction of home security has been recognized.
On the other hand, how about cyber security? The deeper penetration of the Internet access, from the enterprise, at home and while being mobile, the evolution of information equipment such as smartphones and tablets, the diversification of communication means such as email, SMS, MMS and instant messaging apps, and the rapidly increasing number of users utilizing ICT tools. However, the crisis regarding information theft is more of a subconscious one.
There are two major reasons why it is directly not conscious. First of all, the lack of awareness of cyber risk. While users enjoy convenience, they do not have the opportunity to know the actual condition of risks, so the status quo of the lack of understanding about the risk remains. The second point is about beliefs. Feelings such as “I do not care about myself“ and “I’m using antivirus software, so I am OK“ will lower the awareness of security.
Both “lack of recognition for cyber risk“ and “wrong belief“ are problems of literacy that covers cybersecurity. In other words, it is important to understand correctly including risks and how to disseminate it correctly and avoid harm altogether.
Increase cyber security literacy
Due to “sophistication and diversification of attack methods“, it is currently impossible to perfectly prevent cyber attacks. In order to suppress the damage caused by the cyber attack, it is necessary to take security measures by the system and to raise the literacy against cybersecurity and raise the awareness of the users’ crisis.
In order to raise literacy, a user utilizing a computing device needs to master correct knowledge on cyber risk and learn how to respond. Training is also important for establishing its knowledge and countermeasures. The methods will be described below:
Creation and strong enforcement of Cybersecurity Policy
Before improving the literacy of employees, it is important to formulate information security policies in the organization. The security policy also describes the information security policy and action guidelines in enterprises, and basic ideas such as what kinds of threats to protect and what kind of information assets to protect. To clarify the purpose and contents of cybersecurity is important as motivation and goal of improvement of literacy among employees.
Implementation of Cyber Security Education
Although the introduction of the antivirus software listed as the most security measure corresponds to known attacks, it can not cover unknown attacks and human errors. Companies are encouraged to conduct training such as “basic of cyber risk“ and “cyber attack cases“ to all employees. Employees are the frontliners for IT security, and some organizations forget to instill such principle to their teams.
Training and more importantly, retraining programs need to exist
Currently, training while employees not being aware of it is being conducted in many companies. In this training, the use of pseudo suspicious emails with the use of a method to confirm the degree of penetration of employee’s security awareness, one example is checking if an employee will open a dummy ‘phishing’ email. This training, which simulates actual situations, is effective in raising the experience value, but it only serves as a reminder to risks. It is also important to learn a lesson from the simulation, to be aware how to respond by making cross-sectional training of post-response from the past. A simulated cyber attack is also known as penetration testing.
There is a possibility that everyone will experience a cyber attack in varying scale, it is “the new normal” in today’s world. In order to minimize the damage caused by cyber attacks as a company, it is ultimately necessary to raise literacy for each and every employee’s cybersecurity awareness. From the usual point of view, how to protect yourself from cyber risk, as a company, is to empower all the employees to maintain calmness, awareness and most important critical thinking: “Did boss really sent this email containing attachment.x?” Asking a question is safer than clicking or opening a questionable attachment or link. Skepticism helps strengthen cybersecurity.