Employees: the first line of cyber-security defence

Robert Grazioli at Ivanti explains how to empower your employees to become the first line of defence against hackers and information security threats

Happy Cyber-security Awareness Month to all those who celebrate this October. In our hyper-connected digital world, the line between personal and professional cyber-security has blurred. CISOs and security professionals face the monumental task of not only safeguarding organisational assets, but also empowering employees to become the first line of defence in securing the digital world.

The evolving threat landscape

The cyber-security landscape is evolving at a dizzying pace, with artificial intelligence (AI) emerging as both a powerful tool and a significant threat. Malicious actors can exploit the power of AI to advance their harmful objectives including: 

• Deploying automation to rapidly identify vulnerabilities, scan networks and execute attacks
• Employing AI-powered social engineering techniques to craft convincing and personalised phishing emails
• Developing malware that evades detection by imitating typical network behaviour
• Democratising hacking through AI-driven learning, making potent algorithms accessible even to relatively inexperienced and unskilled hackers
• Compromising AI systems through hostile takeovers - effectively turning the AI against the organisation it was designed to serve 

Further, Ivanti’s recent research paints a stark picture of the challenges organisations face: 

• 54% of office workers were unaware that advanced AI could impersonate anyone’s voice
• 95% of IT and security professionals believe that security threats will be more dangerous due to AI
• Alarmingly, nearly one in three security and IT professionals have no documented strategy to address generative AI risks 

Clearly, there’s an urgent need for comprehensive employee education and engagement in cyber-security efforts. The human factor remains a critical component in our defence against cyber-threats, and we must address this knowledge gap head-on.

Beyond traditional awareness training

While security awareness training has long been a cornerstone of cyber-security programmes, its effectiveness in combating AI-powered social engineering attacks is limited. Only 32% of professionals believe training is "very effective" against these advanced threats.

To truly empower employees, we must move beyond traditional approaches and adopt a multi-faceted strategy:

1. Implement robust technological defences

Deploy advanced threat detection systems capable of identifying AI-generated attacks. Utilise AI-powered security tools to augment human capabilities and provide real-time threat intelligence. However, technology alone is not enough – it must be coupled with human insight and action.

2. Foster a security-conscious culture

Encourage open communication about security concerns. Recognise and reward employees who report suspicious activities or potential vulnerabilities. Create an environment where cyber-security is seen as everyone’s responsibility, not just the IT department’s.

3. Provide hands-on, scenario-based training

Move beyond theoretical knowledge to practical skills. Conduct regular simulations of AI-powered attacks to help employees recognise and respond to sophisticated threats. Make training engaging, relevant and tailored to different roles within the organisation.

4. Leverage AI for employee education

AI is not the inherent enemy here. Use AI-powered platforms to deliver personalised, adaptive security training that evolves with the threat landscape. This approach ensures that employees receive up-to-date, relevant information that addresses the specific risks they face in their roles.

It’s not all down to your employees

Leaders, you’re part of this effort, too. CISOs and security leaders are crucial in driving this cultural shift towards a more secure digital world. Leaders must: 

• Align security initiatives with business objectives to gain executive buy-in
• Quantify the impact of security events on various business functions
• Collaborate across departments to ensure a holistic approach to security
• Lead by example, demonstrating strong cyber-security practices in their own work 

Regarding the last point, it’s worth noting that executives are often part of the problem. According to 2023 research, 96% of leaders say they support their organisation’s cyber-security mandates, yet 77% use overly simple (and, thus, vulnerable) passwords like birthdays and pet names. 

Leading by example goes a long way. So does demonstrating the business value of cyber-security and its impact on overall organisational resilience. The result: leaders can secure the engagement, resources and support needed to implement comprehensive security programmes.

Cyber-security at home matters, too

As the boundaries between work and personal life continue to blur, especially with the rise of remote and hybrid work models, it’s crucial to help employees understand how their personal cyber-security practices impact organisational security and vice versa. In fact, 81% of office workers admit they are using some type of personal device for work.

Encourage employees to apply the same level of cyber-security diligence in their personal lives as they do at work. This not only protects them individually but also reduces the risk of personal compromises affecting the organisation.

That extends to Bring-Your-Own-Device (BYOD) policies as well as tools and policies to prevent compromising company-owned devices.

Companies should empower employees with simple, actionable strategies to enhance their cyber-security posture at work and home. These include:

1. Recognise and report phishing

Teach employees to be cautious of unsolicited messages asking for personal information. Encourage them to avoid sharing sensitive information or credentials with unknown sources and promptly report phishing attempts.

2. Use strong passwords

This may seem obvious, but password hygiene is a systemic problem. Promote using long, random, unique passwords that include all four character types (uppercase, lowercase, numbers and symbols). Encourage the adoption of password managers to help create and store strong passwords for each account.

3. Turn on multi-factor authentication (MFA)

Stress the importance of enabling MFA on all online accounts, especially email, social media and financial accounts. Explain how MFA significantly reduces the risk of account compromise.

4. Keep software updated

Emphasise the importance of regular software updates to ensure the latest security patches are installed. Encourage employees to enable automatic updates where possible and regularly check for updates on all devices.

By incorporating these strategies into daily routines, employees can significantly enhance their cyber-security posture both at work and in their personal lives, contributing to our collective goal of securing our world.

Technology and training need an upgrade

As we navigate an increasingly complex threat landscape, the traditional approach of relying solely on technology or basic training is no longer sufficient. Leaders must foster a culture where every employee feels responsible for and capable of contributing to the overall security posture.

By blending advanced technological solutions with comprehensive employee educational initiatives, businesses can build a resilient defence against evolving cyber-threats. This Cyber-security Awareness Month, let’s commit to turning our workforce into our strongest security asset and take meaningful steps towards securing our world.

Remember, cyber-security is not just an IT issue – it’s a shared responsibility that impacts every aspect of our digital lives. Let’s secure our future, together.

Robert Grazioli is CIO at Ivanti

Main image courtesy of iStockPhoto.com and Jacob Wackerhausen