IMPORTANCE OF SECURITY TRAINING
TRAINING
is the best defence moment they are initiated into the organisation, he suggests.
While technology is critical in the fight against cybercrime, and processes are vital to maintaining the rules of engagement, it is your people that matter most – they require regular, ongoing training in security matters.
A
voiding security challenges within an organisation obviously requires utilising strong defensive technologies, but it equally requires employees to undergo training, training and more training, suggests Gabriel Le Roux, specialist account manager at ESET Southern Africa, an anti-malware and security solutions company. “Online security is similar in principle to driving a car. When seatbelts were first made law, people had to adjust their behaviours to suit this new safety mechanism. In much the same way, people need to be convinced to change their behaviours to suit the demands of a digital world – despite this, however, many people in a business environment are given PCs to enable their work, but are not given any training around how to deal with security in an IT environment,” he explains. “There are three angles to an effective security posture: first,
38
C YB E R S E C U R I T Y 2 0 2 2
there is physical security, such as gates and cameras, then there is the software level, which is where the heavy lifting happens, as companies seek to keep up with evolving security challenges. The final leg is the ‘people factor’, which may be the most crucial, as they are the easiest attack vector.” Remember, he continues, that one well-thought-out email that dupes one individual in a business into clicking on a malicious link could provide access to your corporate data. A well-done email to a network administrator could conceivably lead to millions of rand in losses. With this in mind, it is imperative that all employees are able to recognise potentially malicious communications. “Personally, I think such education should begin at school level – this is the digital era, after all – as this will not only protect children from a personal safety perspective, but will also inculcate a kind of security approach that will serve them well from a future business point of view,” states Le Roux. “If you think about it, we teach life orientation, and since IT is a key part of life today, so IT security should be taught. Similar to how we teach youngsters to look both ways before crossing the street, so they need to practise the same caution when it comes to this new ‘e-street’ we are all travelling on.” While this is not yet a part of school curricula, it is clear that business owners should understand the importance of having employees with a clear understanding of security, and should make basic security training a part of the culture from the
Everybody must train “You should be implementing programmes designed to ingrain security in your corporate culture, as it is ultimately something everybody needs to learn – from the lowliest employee to the most senior member of the board.” There are a number of areas that should form part of the training, notes Le Roux, including the types of hacking (some 43% of attacks still come via phishing attacks), as well as the dangers of removable media, which may be infected with malware. Another key focus should be on passwords and authentication, which includes driving an understanding of why it is critical to regularly change your passwords, as well as instilling simple caution, such as not typing in passwords or viewing sensitive information if someone is standing behind you. “If you are working remotely, then you need an understanding of mobile device security and cloud security, so you can understand how it affects a network. It is vital to have knowledge of what social engineering is and how it occurs and, of course, if you are working from home, you need to ensure your security there is adequate to protect your office network from intrusion. “An organisation that covers all of the above will find itself in a good space, and achieving this doesn’t necessarily require the most expensive courses. No one needs a security degree to be good at this – it really is mostly simple and basic dayto-day logic.”
