Building a cybersecure workforce should be a top priority for HR. Watch Part 2 of our Cybersecurity 101 series to find out more:
Miss Part 1? Watch it here.
Marcy Klipfel: Hello from Businessolver, and welcome to our second installment of our series on Cybersecurity Tips for HR professionals. I'm Marcy Klipfel and I lead the engagement team here at Businessolver. I have my friend Tom with me.
Tom Pohl: Hi. My name is Tom Pohl, and I'm the Vice President of IT Systems here at Businessolver.
Marcy: Alright, so today what are we talking about?
Tom: We're talking about building a cybersecure workforce.
Marcy: Oh yes. So what does that mean?
Tom: Well, a lot of times when people think of security, they think of things like firewalls and anti-virus software and DLP (data loss prevention) solutions and all sorts of technical things. But, really one of the biggest assets that we have here at Businessolver is our workforce. It's the people, and I can't stress this enough. It's training and testing our employees to make sure they recognize things like phishing attacks and social engineering attacks that come at them, so they’re prepared to do the right thing when an attacker might try to gain access to our system.
Marcy: So, from a systems standpoint, how do you ensure we have a cybersecure workforce?
Tom: From the time you become a Businessolver employee, you go through a rigorous amount of training. Also, we phish our own people. That is, we actually send out phishing emails to our entire workforce and see how many people we can catch. And every month we get more devious to try to trick our people into clicking on stuff so they can learn from those experiences. Then, if they ever get a real phishing email, they're already a little skeptical. They know to ask, is it an authentic message coming from the right people?
Also, we train them not to use passwords twice. If you have a password to a system over here, your password to this system over here can't be anything like it. Just good practices; making sure that people understand where the weaknesses are in the world.
Marcy: Right, but humans are humans. People make mistakes. So, how have you fool-proofed, or “future proofed,” our system so that if someone clicks on the wrong thing we’d still be able to protect our clients and our data?
Tom: This is actually a larger question. Things like the “insider threat,” are important to consider. Besides the fact that we hire really well at Businessolver — I mean, getting hired here is harder than getting into Harvard — we trust, but verify. We put systems in place on every end-point that monitors the activities of all our users and compares those activities to what their job and role should be. So, if you've got a service center person doing something outside the norm, we’ll get an alert saying, “Hey, somebody's doing something that isn't normal for them. Let's go check it out.” So, trust but then also verify, and ensure that people are doing the things that they need to be doing and not the things that they shouldn't.
Marcy: I know! I didn't have a deep appreciation for this until joining Businessolver. And now I know there are things called “smart stops.” We always try to assume positive intent, but if someone were to accidentally send a file that looks like it could contain a social security number, the system just stops it, right?
Tom: Exactly. That's called a DLP, or a data loss prevention tool, and we've got all sorts of different tools in place. Yeah, it launders everything. It says, "Hey, this looks suspicious. Stop! We're not going to allow that activity to occur." Then, another intervention happens immediately, such as our teams responding to take a look and ensure that nothing untoward is going on.
Marcy: Tom, if you were advising me as an HR professional — which you often do — what are the three most important things I should ask my technology colleagues about in order to build a cybersecure workforce?
Tom: First, I’d find out what they are doing from a training perspective. Then, I’d ask if they were not only training, but also testing. And then the most important thing is to ensure passwords are not being reused across systems. So, training, testing, and passwords.
Marcy: Regarding the passwords, I remember you shared with me that this is something the bad guys do. They go after passwords and then back their way into other systems.
Tom: Absolutely. There's so many organizations that have gotten popped. LinkedIn is a great example. There are a lot of people out who reuse passwords. If you used a password on LinkedIn that you used somewhere else, that attacker that has access to that data and can access every other site on which you used that same password.
Marcy: Perfect. Well, I think that's all the time we have today. So stay tuned for our next installment. I think we're talking about technical considerations.
Marcy: We’ll address software and other things to keep organizations safe. Thanks for your time and thank you for joining us. Make sure you share this with your colleagues and see you next time.
Tom: Thank you. Have fun!
Are you ready to dive in and start developing your cybersecurity strategy?