How internal PR is your best defence against cyber crime
The recent WannaCry ransomware attack has prompted a tidal wave of media coverage and controversy. Most experts seem to focus on the vulnerabilities caused by running old XP systems and not updating Windows security patches. And these are important messages that everyone running Windows should take on board. But the hackers are not finished yet, and while there are some strong technology measures you can take, ultimately the most likely source of a malware attack is by a colleague opening a link or downloading an infected email attachment. Internal communications plays an important role in both educating staff and minimising deliberate sabotage by disaffected employees.
Beware the busy C-suite execs
One of the most likely risk factors is the busy executive who sees an email from what looks like a genuine sender, clicks on the link without checking and enables macros to allow the bad guys in. So in planning your internal cyber security communications make sure you include the C-suite as well as all your other employees.
Senior people tend to have been around longer, and so their email address will have been shared with more people over time. They will be on multiple commercial databases and hence will get more emails from unknown contacts. I know of one CEO who requested a file and had just chased it up on the phone. An email from an address very similar to that of the contact he’d been chasing replied with an email with the subject line “the information you requested” and an attachment. In his haste to put the issue to bed he clicked on the link, and triggered a ransomware attack.
Get the malware message right from day one
Make cyber education part of the induction process. This is the sort of thing that gets covered in a footnote deep in the bowels of the staff manual that nobody ever reads. So spend some time highlighting the risks and make sure people understand their role in protecting the company’s digital assets. Make sure this level of education is extended to freelancers and contractors who may be a special risk, as they are the classic BYOD unwitting smugglers of malware either on memory sticks or their notebook PCs with out-of-date, unpatched operating systems and software. Regular reminders are key. We issue a weekly “wrap” email of success and updates for the business and within this we have now introduced a regular cyber security reminder, highlighting the latest threats and reminding people about common measures they can take to minimise risk.
Engagement is your best cyber defence
If ever there was a rationale for keeping staff on board and motivated, cyber security is a clear and present justification. Think about how you communicate with people, especially when it comes to delivering bad news. People will accept that they may have not performed so long as the information is delivered in a positive, supportive and respectful way. Once people start feeling disgruntled they are, at best, likely to be less careful in their online behaviours and, in extreme circumstances, could be tempted to throw a malware spanner in the works just to balance the respect books. Again, this applies to partners and contractors. If you have to disengage with a partner, keep it professional and sensitive.