Employees may be the main focus of the HR department, but when it comes to cyber security, they appear to be the key liability, as 80 to 90 percent of all IT security issues of any company are generated by people. Not because they mean it, but because they do not master the basics notions of cyber security, says Bogdan Pismicenco, Territory Sales Manager Romania, Bulgaria and Moldova at Kaspersky Lab at the fourth edition of Working Romania organized by Business Review.
„There is a difference between ensuring cyber security when all employees are in the same office, in an easy to control environment, and when they are working from their own homes, where they are more relaxed and start using personal devices for business communication and vice versa. This only adds an element of risk. Incidents may vary, some may directly affect production or the IT system, but there is also a reputational risk, which affects customers’ trust in the company, and this goes for banks in particular”, says Pismicenco.
An attack made through a remote device can cause many problems for a bank, and such incidents are quickly picked up by the press. There might be an attack against the card-payment system or individual customer accounts can be defrauded.
”We recommend that all cyber security programs and solutions that are implemented should be supported by security awareness training programs. To make sure that all colleagues are using the company’s programs, devices and resources correctly, including the email or any other communication tools or platforms. For example, it is not a good idea to send company documents using non-standard corporate communication channels, such as social media messengers”, says Pismicenco.
The questions is how do we make security awareness trainings attractive to employees who are not part of the IT department? How can we make explain to them the importance of a secure password or the GDPR concepts. ”Lessons should be short, 5-10 minutes, they need to be as visually powerful as possible, and they should be followed by tests. Finally, the students should be rewarded with some small prizes. Programs must be mandatory, but not imposed to the employees, so that everyone should want to follow them. Including those in management, who are usually the most likely targets”, explains Bogdan Pismicenco.
In the past, many companies have started such programs, but not many of them were successful. For many, the programs meant that employees would receive a 30-page PDF or Power Point presentation and the topic would thus be ticked off from the list of training sessions. ”Moreover, most of the programs were in English, whereas Romanian was and still is the preferred language for such complex topics. Romanian is needed because such classes need to be taken by all employees in a company, no matter what level are in the company, if they have access to the IT infrastructure”, says Pismicenco.
”I had a very good interaction with Continental last year. They organize an Open Day for each department so that the others understand what that department is doing. We organized, together with their IT department, a course developed as a board game, and those who brought the highest profit to the company received a prize.”
Large corporate organizations have such education programs in place, especially multinationals that usually bring this type of learning culture from their headquarters. ”The question is what can we do with the hundreds of thousands of SMEs that do not even have an HR department or have a single person who takes care of everything in the company. Those people need to go through an awareness program too. My recommendation would be to look for turnkey solutions that can automatically run security and education programs.
Last but not least, security campaigns should not be conducted only once a year. There is a learning curve and it takes about four rounds of training so that 50% of what we have learned to stay with us”, says Pismicenco.
As he concluded the intervention at Working Romania, Bogdan Pismicenco said that the number of incidents or problems will decrease if such education programs take place.