The trusted alternative to mass market instant messaging solutions
Boost communication by inviting thousands of members in dedicated chat rooms!
Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end-to-end encryption.
Cryptobox is the first secure sharing and collaboration solution to provide end-to-end data encryption, whether your device is a smartphone or a computer.
The digital transformation affects all businesses and organizations, from the smallest to the largest. This transformation brought about by technological developments offers many benefits:
To meet the new challenges of mobility and remote work, Ercom has developed Cryptosmart PC, a sovereign VPN solution to secure the connections of your remote Windows computers.
Cryptosmart is the only “Restricted” French & NATO certified solution, jointly developed with Samsung, to secure end-to-end mobile communications on consumer devices.
Cybels Hub DR, the first "Restricted" level accredited cloud solution to help inter-entity collaboration in a secure environment with partners! Collaborate in voice or videoconferencing, exchange data with your partners, all at the "Restricted Distribution" level, on a cloud operated and secured by Thales.
Posted 4 janvier 2019
Viruses, ransomware, mobile malware, phishing… Cyber-attacks are permanent and organizations are under constant threats from attackers. To face these, IT departments require appropriate resources, expertise and tools. But not only. Employees are the weak link in all organizations due to the vast majority of cyber threats targeting them. Whether a CEO, sales executive, receptionist or legal assistant, bar a few exceptions, none has a desire to harm. Instead, employees lack knowledge about the challenges and consequences of IT security on business assets.
To mitigate this, there is only one solution: raising employee awareness. Examples, guidance and best practices will help turning your employees into a defense against digital risks.
They are multiple and can take different forms. There is little in common between intercepting telephone communications, viruses embedded in Excel spreadsheet macros, and application threats associated with a security breach. To face these, organizations should assess the situation.
A Ponemon Institute study funded by IBM looked at cyber threats on a country-by-country basis. In France, digital risks are distributed as follows:
Clicking on inappropriate links, failing to update software, scribbling passwords on a post-it note, shadow IT… The causes that can endanger an organization’s information systems are numerous, and users are always involved in the chain of actions preceding an attack. Be it negligence, or lack of interest or time, failing to involve users can have significant consequences. Especially considering threats are not slowing down.
For an IT department, all threats need to be monitored. But to raise employee awareness, it is useless to be exhaustive. Brevity, clarity and demonstration by example will always have more impact.
Understanding threats is essential, but conveying the right message to a non-technical audience using computer tools without knowing what’s behind the scenes is an equally important challenge. A role that is more educational and involves the organization’s management and other departments, such as IT, internal communications and HR.
The first thing to do is to create a clear set of rules. Searching for a balance between comprehensiveness and efficiency is essential because the more dense and complex the information, the greater the chance these rules will be misunderstood or misapplied. Your internal policy should clarify your position on various topics: social media, use of personal devices, Wi-Fi network, mobile applications, GDPR, etc.
A digital security policy must be scalable. Threats change regularly and require constant updates. Furthermore, this policy should be part of the employee onboarding process and integration of new tools.
Finally, depending on your organization’s culture, it may be helpful to clarify the legal part. This involves securing liability and confidentiality clauses in employment contracts, as well as confidentiality commitments from suppliers, customers, third-party partners, etc.
Training is essential to raise employee awareness. This mission may require the involvement of an educational designer, to create custom learning experiences, tailored to your employee’s roles and business areas. Training should be regular, non-technical in most cases, and illustrated with various real life examples.
At the organizational level, blended learning including a mix of online and in person courses is an option that works well. A learning platform may integrate quizzes and assessments of prior knowledge, as well as on-demand video sessions that can be viewed at times best suited for each team according to their constraints.
Good practice guides and MOOCs published by ANSSI (National Cybersecurity Agency of France) are useful resources in this context.
The IT department cannot do everything alone. The organization’s management should be associated with employee awareness initiatives. It means not only unlocking appropriate budgets, but also getting involved in a personal capacity. Both message and strategy should come from the top management, and the top management should associate itself with the operational management and all of the teams to host, present and participate in training courses (online or in person).
You perform regular fire drills. Why not do the same with your digital security? These exercises aim to assess the real life behavior of your employees, and are part of a process toward continuous improvement.
For example, the Ministry of Economy and Finance in France sent a phishing email to each of its 145,000 agents to measure the impact of protection and awareness measures. The result: 20% of agents were fooled.
Another exercise is the “President’s scam” in which you try to abuse gullible employees into performing an online purchase or a transfer order. A scam affecting all organizations, including SMBs.
Finally, the last example, which also requires the participation of your IT department: voluntarily leave a USB key in your premises (car park, corridors, meeting rooms, etc.) containing a file named “pay scale.xls”. With a tracking system, you will know who opened the file, and redirect them to an internal security warning.
The more your employees are familiar with using secure devices and tools, the more they will be aware of the risks. This is particularly true for smartphones that are, by definition, in a state of permanent mobility. Securing professional smartphones should therefore include security and encryption solutions to encrypt incoming and outgoing communications (voice, email, SMS and web traffic), protect local data (contacts, files, photos) in case of device loss or theft, and generalize unlocking using strong authentication.
Digital risks are now added to all other risks already managed by companies. Even if your organization is not 100% dependent on an online business, piracy can have serious consequences on payroll, procurement, supply chain, logistics, purchasing, etc. Today’s threats are different from those of yesterday, and those to come will be different as well. We must therefore face these challenges with prudence and professionalism. To achieve this, employee awareness is an absolute requirement.
Cet article vous a plu ? N'hésitez pas à le partager