supplied
It’s not surprising that cybersecurity is top of mind in C-suites nationwide. In 2017—the most recent year for which data is available—more than one-fifth of Canadian businesses were hit with a cyber-attack, according to a survey by Statistics Canada. Most resulted in lost productivity, and some hit companies’ revenue, too.
What’s more, a 2018 survey by Ernst & Young found that “careless or unaware employees” were by far the greatest cybersecurity vulnerability Canadian employers face. Clearly, unless employees understand and care about threats—and know how to respond—companies will remain vulnerable.
“Security and privacy are among the most important issues that organizations have to grapple with,” says John Hewie, National Security Officer for Microsoft Canada. “It is a regular conversation employers should be having with employees.”
In other words, cybersecurity should be more than a single page in the new-employee handbook, or the subject of a once-a-year company meeting. Employers need to make cybersecurity responsibilities an everyday part of employees’ jobs, and continually engage their workforce through regular training and certification.
This doesn’t mean that every employee needs to become a cybersecurity expert, of course.
“It can even be as simple as making it a personal challenge, or incenting employees in creative ways to follow organizational security recommendations,” Hewie says. “Internal training and awareness programs are good but these need to be an always-on activity with reinforcement from leadership to build up a culture of security across the organization.”
This kind of continuous training is vital, since cyber-threats don’t stand still. Most employees have long been familiar with phishing emails, for example, but this cyber-crime standby has become more sophisticated than ever. Last year, Microsoft observed a 250 per cent increase in inbound phishing messages internally. That’s because even as technology gets better at detecting and blocking those messages, phishing attacks are being automated and using subtler techniques to get past email filters and wary employees. Those include domain-name spoofing and “spear-phishing,” which make emails look as if they’re coming directly from trusted colleagues or acquaintances.
And as mobile and personal devices become more common in offices, it’s just as important for organizations to ensure employees are taking care with them. According to Statistics Canada, two-thirds of businesses in 2018 allowed employees to use personal devices for business activities. While most larger businesses (more than 250 employees) had some sort of security measure in place to manage and protect those devices, most small businesses (fewer than 50 employees) didn’t. That creates a doorway straight from personal devices into the business network for cybercriminals.
“It’s crucial for organizations to have solutions that manage and protect company data on mobile devices, especially if they allow employees to use their own personal device for work purposes,” Hewie says.
He recommends Microsoft Training Days for companies looking to help IT staff brush up on cyber-threats. These free training events are held nationwide on a regular basis for technical professionals. They focus on a variety of topics, including fundamentals around security and compliance.
And for most other employees, it comes down to continuous improvement. Ensure simple security measures, like password managers and two-factor authentification, are mandatory. Provide regular training, from lunch-and-learns to webinars. And incentivize employees to fully embrace cybersecurity with rewards, certifications and recognition for a job well done.
“An important strategy is to educate your employees,” Hewie says. “Arming them with knowledge and empowering them to live a secure digital lifestyle, both at work and home.”
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.