I have been hanging out a lot with Chief Information Officers (CIO) and Chief Information Security Officers (CISO) these days at speaking engagements and conferences, as October – National Cybersecurity month – is always busy. The topic that keeps coming up in these conversations is phishing and how most ransomware attacks are started because an employee hits a malicious link or attachment. Although we continue to discuss how important employee engagement and education is to avoid these campaigns, another tool to use for cyber-hygiene for your company is a robust spam filter.
A spam filter is crucial to block malicious emails from ever getting to your users. Although not perfect, it reduces the ability of malicious emails to ever find their way to your users’ in boxes and the chance that it will be clicked on by an employee who may not have the ability to recognize it as malicious, or an employee working a bit too fast.
There is a constant balance between putting strong data security measures in place and your users being able to get their jobs done quickly and efficiently. I have heard from many CISOs that their company will not turn the spam filter on at the strongest level, which would keep out as many malicious emails as possible, because users will then have to go into their spam filter to release some of the messages, and users get up in arms when having to take that extra step.
We have to get to the point where users are as invested in cybersecurity hygiene as we are. We have to change the discussion so that users feel engaged in helping to secure the company’s data and WANT to take the extra step to protect the data and the company as vigilant data stewards and militia.
Employees really don’t want to be the one who clicks on the link that puts the company into a devastating tail spin. We just haven’t done enough to explain the risks and consequences of their digital actions and why they are one of the most important pieces in the data protection program. Once we adequately explain their role in data protection, as data stewards and the data militia for the company, they will complain less about the extra steps that have been put in place to protect the company. They will want to help. They will want to do the right thing. It is really no different than requiring employees to swipe a badge to get onto the elevator or into the office every day. We all know why it is important and we are willing to do it to protect ourselves and our company. It becomes a natural thing. The same should be true for protecting data.
Change the conversation with your employees and users so they are engaged in data protection and it becomes a natural and easy thing to do.