While the global pandemic caused much IT industry talk of the need for digital transformation – with 80% of organisations accelerating their digital transformation strategies – it also brought with it an increase in the level of IT security threats. Not only was there significant growth in the volume of cybersecurity attacks, but homeworkers were also more vulnerable – without the protection of corporate security measures and the reliance on the security capabilities of technology/service providers (such as for video-conferencing services).
There’s no doubt that IT security should be a top-three priority for all CIOs (and CEOs) but, while much is invested in technology to protect the corporate infrastructure and to identify and respond to security incidents, the weakest link is often an organisation’s employees in terms of both exposing the organisation and contributing to remediation delays (and the associated business costs).
To help, this blog explains some of the common IT security management issues and how better employee communications will help your organisation to both better protect against and remediate IT security risks and issues.
Employees are commonly cited as the weakest link in an organisation’s cybersecurity defences
“Social engineering” has long been the number one way for “bad actors” to gain unauthorised access to companies and their resources, despite all the technology-based precautions they might have in place.
Employee security awareness training is key to minimising the risks of staff falling prey to social-engineering-based attacks, and so is effective education-based communication. First, in terms of timely reminders of the potential threats and the need for vigilance. Second, related to specific attack “fashions” that employees need to be vigilant for. And third, in reminding people of when and how to inform security personnel of failed attempts or known security breaches.
But how are employees best communicated with such that they’re adequately aware of the security threats they and the organisation face? For most organisations, the communication channel is still email. But how effective are important security emails when they swim inside a sea of other emails that are all vying for an employee’s attention? After all, a message isn’t truly communicated until it has been received, understood, and ideally acted upon where necessary.
Effective communication is also key to security-incident response – think of this as the “cure” versus the above’s “prevention”.
Responding effectively to security incidents
Security breaches have never been easy to handle and now, in Europe, the speed of response is even more important thanks to the 2018 introduction of the General Data Protection Regulation (GDPR) and its 99 Articles. In particular, the two articles related to personal-data breach management and reporting:
- Notification of a personal data breach to the supervisory authority (Article 33)
- Communication of a personal data breach to the data subject (Article 34)
The first of these articles is subject to a strict deadline – whereby internal analysis and notification must be completed within 72 hours of breach identification, with significant penalties arising with non-compliance.
However, whether affected by GDPR or not, all security incident resolution efforts need effective communication to minimise both the business and third-party impact and to remediate the breach and regain secure status as quickly as possible. Remediation can be complicated though because, as with IT major incident management best practices, there’s a need for different people, in different teams, and in different locations to work together to restore business-as-usual operations as quickly as possible (plus, to ensure that lessons are learned to prevent a repeat situation).
As with employee security education, there are again issues related to email being used as the primary method of communication – with the potential for communications and action requests to go unaddressed when such important emails are hidden amongst the recipient’s sea of unread emails. Plus, there might be other systems and communication channels used to share information and to elicit actions as part of the security breach response. Formal processes will help here but it stills leaves the organisation open to the people involved missing important communications or making decisions or taking actions based on out-of-date information or requests.
Joining the dots – your IT security management needs actionable messaging capabilities
While the above two security management issues might seem quite separate at first – with one being about education (“prevention”) and the other about response (“the cure”) – they are linked by the importance of effective communications to success. For most organisations, these important communications are still trusted to email and can thus be adversely impacted the related issues.
In both scenarios, improving IT security requires more effective communication. Importantly, through removing the issues related to email and other communication channels by leveraging an actionable messaging system that consolidates the security communications (plus other business communications) from across an employee’s digital landscape into a single place.
Here, the various communications sent to an employee are both prioritised (in terms of importance) and shown as actionable alerts, that can be pushed to the employee as notifications across a variety of channels, with the necessary responses easy to undertake and automatically fed back into the source applications. It results in more efficient employees that can respond to incoming communications more quickly and in a more informed way. Which, in infosec terms, results in better security management operations and outcomes.