Employees: The Weakest Link

So what is a company—especially one with limited resources and time—supposed to do about these internally driven threats?

Of course, technology is always part of the mix, and every company should have the basics: firewalls, a VPN (virtual private network), anti-virus, anti-spam, intrusion detection and prevention, and a thorough knowledge of which devices are attached to your network at all times.

But here’s the rub: “You can have the best security technology securing your network, but if someone gives up the keys to the castle, someone can bypass that security technology,” Teixeira said.

For many companies, then, it comes down to employee education and awareness—basically creating a “culture of security” within the business.

“Make it informal. Invite them to a company breakfast and talk about stupid things people don’t think about, like why an application might seem innocuous but isn’t. In many cases, it really does change behavior,” Lambert said.

In fact, this technique is particularly useful in smaller organizations where there is more personal contact and where employees are likely to know others attending or those speaking, she said.

You can also get more formal about your information sessions, holding regular awareness forums to help employees understand the latest threats.

“If your company has a phishing attack or someone in the IT department sees an uptick in a certain type of attack, let your employees know what it looks like and what to do about it,” Teixeira said. “Don’t take for granted that most employees have basic cyber-security knowledge. Assume they know very little.”

On-the-spot education also can be helpful. For example, by implementing an information pop-up window, usually part of a client-side information leak prevention package, employees will be able to make better decisions.

“If an employee is doing something they shouldn't in terms of data, a pop-up will show up saying, ‘This information has been tagged as company confidential. Do you really mean to be sending it out?’” Lambert said. “In most cases, that will change their behavior immediately.”

Other tips specifically for small and midsize companies, explained in more detail on the NCSA Web site (www.staysafeonline.org), include putting up workplace posters; conducting security training for all employees; detailing what employees should do in specific situations, such as receiving an e-mail from someone they don’t know and how to safeguard a password on a desktop computer; conducting background checks on potential employees; and quickly changing passwords, deactivating accounts, changing key codes, and repossessing keys and access cards from departing employees.