I had the opportunity today to sit on a cybersecurity panel discussion at the 2015 Great Plains Contingency Planners Seminar and Vendor Expo. Lots of great questions from the audience, especially related to social engineering threats. I would recommend everyone take a look at their cyber awareness program. A few key thoughts:
- Has your organization determined what it considers critical information that needs to be restricted to non-employees? This could be intellectual property, it could be what vendors you utilize, it could be what days you run patches on your IT, or the web address for your remote VPN access. Once this information is determined then your workforce needs to be informed not to share directly to an outsider or post on social media.
- Do you conduct training to teach employees how to recognize and respond to phishing emails? This could be conducted by your internal IT team or by vendors specializing in providing this service. A variety of tactics, frequency of events (monthly or quarterly), and feedback are crucial to success.
- Establish a process for employees to report questionable activities. It may alert your security staff to initial attempts to hack into your network.