• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ National Cyber Security Awareness Month – October 2018 / It’s Everyone’s Job to Ensure Online Safety at Work – National Cyber Security Awareness Month – Week 3: October 15-19

It’s Everyone’s Job to Ensure Online Safety at Work – National Cyber Security Awareness Month – Week 3: October 15-19

When you are on the job – whether it’s at a corporate office, local restaurant, healthcare provider, academic institution or government agency – your organization’s online safety and security are a responsibility we all share. And, as the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two. Week 3 will focus on cybersecurity workforce education, training and awareness while emphasizing risk management, resistance and resilience.

Introduction

Effective security begins with awareness by each and every person inside an organization regarding what they can do to ensure online safety at work. From the newest hire or intern to the chief executive, every employee has the ability to harm or weaken the security posture of the organization. Software and hardware solutions are a great start but can only go so far. Common threats including social engineering, phishing attacks, and abuse of privileges circumvent traditional methods of detection and prevention provided by these solutions.

It’s everyone’s job to ensure online safety at work, accomplished by building a corporate culture that emphasizes cybersecurity, strengthening behavior toward a better security posture. Components of a cybersecurity culture involve the right mindset, leadership actions, training and awareness, and policy reinforcement. This week CSIAC will dig into these common threats to learn how to prevent attacks from occurring and teach organizations how to build a security-focused corporate culture in which everyone is responsible for their actions.

Your role in Ensuring Online Safety

Bring Your Own Device (BYOD)

The lines between our work and daily lives are becoming increasingly blurred. An example of these blurred lines is the use of personal mobile phones in corporate environments. Most employees will read work emails, write and share important documents and have their corporate office network settings saved on their devices. All of this can be very convenient to the employee, but with convenience comes more possibilities of vulnerabilities and threats.

General users should understand why organizations may put controls in place to better secure their personal devices. It is common for organizations to create policies of what is and is not allowed on devices. Lists of allowed applications, websites, and social media usage will be given to users to sign off on, agreeing that they will follow company policy. Furthermore, IT departments frequently limit the use of devices by requiring approval, installation, and/or remote wiping software and antivirus before they can connect to the internal network. Controls such as allowed applications and approval of devices is not to put in place to inconvenience users or spy on devices, but rather to prevent unauthorized devices from connecting to the office network. Having the ability to remotely wipe all data on devices if lost or stolen can prevent important documents or information be placed in the wrong hands.

In addition to reading through, understanding, and agreeing to policy, users can take additional steps to ensure safety. As a user you can help ensure the safety of your corporation by keeping your device up-to-date and having some form of antivirus on the device. Yet, the most important thing to do as a user is if you have a question about whether or not to connect a device to the corporate network is ask a member of the security/IT team at your organization. IT staff will let you know if you can connect the device to the corporate network and if any other steps must be taken once the device has been connected.

 

Cyber Hygiene
Social Media

Corporations have multiple reasons to be wary of employees’ personal use of social media at work. Not only is it a time waster, but it is also a security risk. Employees must consider what they post, especially if it contains sensitive data. Attackers may use the data posted online against individuals and the organization that they work for. For example, they may use social media to learn where the employee works and who they work with to map out an organizational hierarchy. In addition to learning information about the corporate structure of organizations, attackers will use what individuals post on social media to guess employees passwords. Details such as employees’ interests, family, birthdates, and pet names can all be gathered from posts and used to break into accounts. To limit the ability of malicious outsiders gaining information about the company and the employee users should review their social network connection and consider who is being added to their social circle.

Passwords

Perhaps the area that general users have the most control over is the passwords that they use to log into their accounts. Users are responsible for choosing adequate passwords and keeping those passwords safe. Most organizations will have policies in place that require a certain amount of characters, numbers and special characters during password creation. These attributes can help guide users into making more secure passwords. Additional actions such as enforcing password history, setting expiration dates, and enabling two factor authentication (2FA) can add to the security posture of an organization. Lastly, as obvious as it may seem, DONT SHARE PASSWORDS.

 

Email

With how common phishing attacks have become, it is important that users fully understand the security risks associated with email. A basic security precaution users should always check is who the sender of the email is. A common tactic used by attackers is to send the email as if they were a member of the IT department or management. Attackers will rely upon users trusting individuals who are hierarchically above them or those with more IT knowledge than them and follow any instructions provided without question. In smaller organizations, users should go talk to the IT staff or management in person, while those in larger corporations can send an email directly to staff (do not click reply on the message in question) to verify the authenticity of emails requesting. Common malicious emails usually ask for changes to computers be made or external links be followed.

 

Workers commonly do not understand that the messages that they send through email are in cleartext. What this means is that if an attacker is monitoring the network they can easily read the content of emails. Sending a message through email is like speaking to someone at the office water cooler, if someone is listening they may hear you. Though, in addition to coworkers, there may also be malicious outsiders hiding in the rafters or around the corner that you cannot see. The dangers of malicious individuals listening for unencrypted network traffic is escalated if employees are connecting to public Wi-Fi, either knowingly or unknowingly. However, users can take steps to help keep messages “secret”. Popular email clients allow users to encrypt messages, ensuring that the sender and receiver’s conversation is better protected against eavesdropping. As a rule of thumb users should never send sensitive data in an email, but if they have to, they should ensure that the message is encrypted.

Increasing Employees Training and Awareness

Training and awareness is key to improving the cybersecurity posture of an organization. Effective cybersecurity training and awareness revolves around clearly communicating to users what they need to look out for. Employees need to know the appropriate responses to questionable activity when it is spotted.

However, just as important, is not losing the interest of those being trained. When providing training to employees, organizations should first assess employee’s current level of cybersecurity knowledge. It is essential to train users at their level. If training is too basic and already understood, employees may become bored, not take it seriously, and feel like it is not worth their time. However, if the material is above the skill level of the employee they will become frustrated and not comprehend the training resources. By tailoring training to the employee’s current level of knowledge and ability, users will stay engaged with the material presented to them.

Cybersecurity training for users must not be a one-time thing in an organization. Training must be frequent so that the material and ideas presented to users is reinforced and tested on a consistent basis. As mentioned earlier, it is essential that users know what to do when they are placed in situations in which their data and company data is at risk. To train users, they can be placed in situations that mirror real-life (in which role-playing is required) or situations in which the outcome is controlled. However, it is important that the training sessions are not known about by employees in advance. For example, trainers can hold phishing tests in which users are sent phishing emails to see if they open risky links or conduct USB drops to determine which/if users will plug those drives into their computer. Individuals who take the wrong actions during these tests can go through additional training focusing on what it is they did wrong (without singling out employees). Conducting continual training will keep the lessons learned from materials fresh in employees’ minds.

Lastly, when trying to improve security awareness and training, organizations should realize that there is a variety of different forms of training, each of which has their own strengths and weaknesses. For example, training can come in the form of emails, memos, posters, presentations, CBT (computer-based training), and reading. Emails and memos can be digested quickly, posters can be seen on a continuous basis, while computer-based training may be in depth, it may also take the longest to complete. To be effective, training should be presented to employees in multiple forms to reinforce the lessons to be learned and to provide users with options on how they would like to receive their training.

Unfortunately, training is also usually the first to go in times of financial trouble or time crunches. If there is one takeaway organizations should learn from this article is that training and awareness must be stressed regardless of time or budget constraints, as the results having untrained users can be disastrous. It will cost an organization much more to respond and recover after a cyber incident than it is to train employees and stay on top of the latest cybersecurity trends.

Promoting a Culture of Cybersecurity

An organization must build a culture centered on cybersecurity in order to emphasize, reinforce, and drive secure user behavior. Components of a cybersecurity culture involve the right mindset, leadership actions, training and awareness, and technical and policy reinforcement. Having the right mindset will increase readiness to quickly and accurately respond to cyber risks. During the process of creating and embracing this culture, leadership must set the example for others to follow.

Often overlooked is management’s role in the security posture of an organization. Management’s primary responsibility is to emphasize the importance and value of cybersecurity to the organization. They are the individuals who are in a position to convey why cybersecurity (in addition to other corporate goals) needs to be focused on. One successful attack could do damage to a company’s reputation and potentially put them out of business. Employees are used to hearing about cyber policy and procedure from IT staff and cybersecurity professionals. However, when discussed by the manager, employees are more likely to take cybersecurity seriously. Management should discuss cybersecurity with employees so that they know what his/her intentions are and what is expected of them. If users sense that management has not embraced cybersecurity education, awareness, and best practices, it is very likely that training and awareness programs will fail.

In addition to emphasizing value, managers can provide insight to IT staff that might otherwise be overlooked. Their position and experience in the company place them in an ideal position to know what is most valuable to the company. In promoting a culture of cybersecurity, managers should ask questions to members of the tech team to learn why decisions have been made and how/why the security controls have been put in place. By identifying what is in place, managers can help security staff understand where controls fall short. Continued input gets everyone involved in discussing cybersecurity, ensures its importance is not forgotten, and makes cybersecurity a team effort.

And as always, IF YOU SEE SOMETHING, SAY SOMETHING!

Related Content:

    • National Cyber Security Awareness Month Overview Page
    • Week 1 – Make Your Home a Haven for Online Safety
    • Week 2 – Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
    • Week 3 – It’s Everyone’s Job to Ensure Online Safety at Work
    • Week 4 – Safeguarding the Nation’s Critical Infrastructure

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Page Sidebar

Featured Content

Data Privacy Day is January 28th

You can help create a global community that respects privacy, safeguards data, and enables trust. You can help teach others about privacy at home, at work, and in your community.

Learn How

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Privacy Impact Assessment: The Foundation for Managing Privacy Risk Series: The CSIAC Podcast
  • Agile Condor: Supercomputing at the Edge for Intelligent Analytics Series: CSIAC Webinars
  • Securing the Supply Chain: A Hybrid Approach to Effective SCRM Policies and Procedures Series: The CSIAC Podcast
  • DoD Vulnerability Disclosure Program (VDP) Series: CSIAC Webinars
  • 5 Best Practices for a Secure Infrastructure Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Wed 27

Enterprise Data Governance Online 2021

January 27 @ 08:00 - 13:30 EST
Organizer: DATAVERSITY
Thu 28

Data Privacy Day

January 28
Jan 28

Data Privacy Day

January 28, 2022
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.