Dealing With Careless Users as a CIO

February 9, 2016
387 Views

The majority of Chief Information Officers (CIOs) are generally very well versed when it comes to the various facets of securing organization networks, sensitive data encryption and on how to secure private customer information. While as a CIO, you may be on top of your game, there is a possibility of the existence of a glaring security flaws which you could have overlooked or ignored: your organization’s end-users.

Helping Your End-Users to Think Securely

The majority of Chief Information Officers (CIOs) are generally very well versed when it comes to the various facets of securing organization networks, sensitive data encryption and on how to secure private customer information. While as a CIO, you may be on top of your game, there is a possibility of the existence of a glaring security flaws which you could have overlooked or ignored: your organization’s end-users.

Helping Your End-Users to Think Securely

It is true that you have undertaken some heavy investments in the latest cutting-edge security software and have also engaged the best trained IT talent in your organization – but always keep in mind that you also have end-users. Among your employees or end users are professionals involved in sales, marketing, and administrative roles.

These are the people in your setup who are generally woefully unprepared when it comes to dealing with social engineering schemes and phishing scams, and this could cause lots of security breaches. Online security professionals observe that this is a major component of company security problems. Your end users must be involved in the whole process.

Dealing with Potential Risk Areas

It is a fact that your end users are your greatest company assets and in terms of security can also be the weakest link. Users are typically in the ‘know’ regarding what is actually taking place in terms of organization policies and processes that are actually followed and which get ignored. For this reason, they make an excellent barometer that as a CIO you can utilize in gauging how effective your security measures are.

For processes that are not very secure or not as secure as you would want them to be, this is particularly true. However, your end users must be educated. For instance, they will need to understand that with lots of malware types, there is usually an installed application—and that for that to take place there is likely to be a request for some additional interaction.

An example would be when the user clicks on a link and they are asked by the system to install some additional software. This could very much be harmful malware, and when they encounter such, they should report the incident to the IT department or alternatively follow the company’s a well-defined process.

The Role of Education

Educating and empowering your end-users regarding their respective responsibilities towards upholding best practices in terms of organizational security is probably one of the best and effective approaches in beefing up your overall security strategy.

Your focus should be teaching the end users about the ever present daily threats they encounter and on ways of dealing with them. Your approach must incorporate a hands-on learning methodology. The objective should be to let the end-users master how phishing emails looks like. Educate them on ways of verifying the legitimacy of the diverse social engineering tactics being employed today.

As part of your strategy, make sure you actively involve your end-users in the security strategy of the organization. They should not be following commands and directives coming from the leadership without understanding the rationale that lies behind some of those best practices.

Make Security Communication Two Way

Experts suggest that for security education to be effective, it has to be a two-way street. Regular and clear communication is a must and information needs to be shared—particularly around common targeted attacks. Such security related communications need not be a big production issue. Making the conversations a daily element of your business can be of great help towards making the end-users appreciate that organizational security is something which needs the concern and input of everyone.

Solid Strategy Must Back up Education

A solid strategy must be put into place to give backing to the training and education. It must also have process of how to deal with threats as soon as they get identified or attacks whenever they take place.

Possible approaches can be sending newsletters or regular email bulletins plus offering more instructor-led training, education as well as formal computer-based education. Security experts recommend making the advice personal and extending the same so that it become applicable even at the home level. This way, the security consciousness becomes part of daily life.

Examples can be offered from already published media reports that address successful phishing attacks, showing examples of documents that are infected. These will assist the end users to recognize and identify potential attack areas.

Systems and Server Monitoring

All the education you impart to your end users isn’t a totally foolproof solution. Times will come when your employees will click on something they shouldn’t have or even install malware or inadvertently activate a dangerous virus. Some of those may go unreported, posing a continuous threat to your security.

This is why it is important to constantly monitor your systems. Today there are excellent applications that can be deployed for monitoring the organization’s server. Such an application will raise the red flag any time it identifies new installations coming from your end users. Alternatively, some can be configured so that any app installations must first be given the green light by the IT department.

Finally, as a CIO, always remember that even the best of processes and education need the backing of sound technology. Yes, your end users may be the first defense line, but when it comes to security, technology is the last line of defense. Antispam, antivirus, and advanced adaptive solutions for data loss prevention must be employed across all company communication channels.