In an age of sophisticated and unprecedented hacking by cyber criminals, protecting your company’s IT system is becoming increasingly more challenging and difficult. While employers bear the primary responsibility for protecting against cyber-attacks, their employees also play a significant role in helping to keep their company’s system safe.
In a recent interview, Robert Cioffi, CEO of Yonkers-based Progressive Computing, addressed the issue of cybersecurity and offered some practical suggestions and solutions that companies can implement to make their IT systems less vulnerable to a cyber-attack.
Why is it important to educate your staff and not just your IT people on cybersecurity?
Cioffi: Employees are on the front line and cyber-criminals are relentlessly targeting the end-user or non-tech savvy person, not the IT experts at companies. Therefore, the end users (employees) are under constant attack and must be ever vigilant against potential cyber threats, which are constantly evolving. As with personal, physical, or home security, companies must take prudent steps to educate and protect themselves against potential threats.
How does a small company educate their staff and make sure they follow those guidelines?
Cioffi: A major failure among companies is that they believe education about cyber threats is a one-time event instead of an ongoing conversation. The education process doesn’t have to be overly complex, and could include such things as having a subject matter expert come in once a year, subscribing to newsletters, reading your IT provider newsletter, and attending local seminars. Employers can also provide periodic updates to employees using simple means such as emails or break-room flyers that inform on new threats and remind them to remain vigilant.
Robert Cioffi, CEO, Progressive Computing
How do you protect your company from a disgruntled employee who might commit cybersecurity?
Cioffi: An insider is far more dangerous than nearly any external hacker because an insider has access and typically much greater intent or purpose. You need to have solid security practices and protocols in place. Access to systems should be limited on a need to know basis. Smaller organizations tend to not have the know-how or resources to set security up properly in the first place. This makes them more vulnerable to attack.
Someone should also be monitoring employee activity and have a system of checks and balances in place. For example, the person who prints checks should not be the person who signs them. Also, companies must have proper off-boarding/termination procedures in place. For all these reasons, it’s important to engage with a reputable IT service provider who can put certain monitoring, controls, and best practices in place.
How can an IT services provider help educate a company’s staff on cybersecurity?
Cioffi: Not only is it the job of the IT service provider to install and maintain proper security systems, but it is also paramount that they help to continuously educate the staff on new and emerging security threats. As stated before, messaging about cyber threats needs to be digestible and continuous for the non-tech savvy and should be broadcast periodically. The danger is in over-communicating or making the messages too complex. Most people tend to ignore monotonous messages and techno-babble.
In a small to medium sized company, where does the buck stop? Is it ultimately the owner of that business that needs to make sure his company is protected or has procedures to reduce the threat?
Cioffi: The short answer is that the buck stops with the owner on everything. However, by having employees sign off on things like an acceptable computer usage policy and providing consistent educational messaging on security, the owner is protecting their assets and staff. This is no different than purchasing an insurance policy—no one likes to pay the premiums, but certainly comes to appreciate the protection when it is needed.
No company is 100 percent safe. What level of staff knowledge about cybersecurity can minimize any potential breach?
Cioffi: The misnomer here is that end-users need to be security experts. This unfortunately leaves people thinking they can’t protect themselves, or they shy away from the technical jargon. So they bury their heads in the sand. Most effective and prudent security measures include simple and obvious things like: don’t open emails that look strange, don’t answer security related questions via email, when in doubt ask questions, etc. Basic common sense will go a very long way.
The bottom line is education, education, education. Keeping employees apprised of new and existing cyber threats is not a static process, but rather an on-going, constantly evolving one. Only by insuring that their front line employees are informed can a company hope to reduce the odds of becoming a victim of a cyber-attack. Simply being aware and using common sense can go a long way in helping protect your company’s cyber security.
Robert Cioffi is CEO of Yonkers-based IT provider Progressive Computing.