Points de vue

FIC 2019: We Can’t Overcome Cybercriminals Without Employees

février 3, 2019

On 22-23 January, the French annual cybersecurity event took place in Lille, France. The two-day International Cybersecurity Forum, or Forum International de la Cybersécurité (FIC), showcased many keynotes, workshops, conferences and product demonstrations in order to highlight the various tools currently at our disposal to handle (and hopefully, tackle) cyber-criminality.

A few key terms were put forward throughout the event: IoT, GDPR, digital identities, and the human factor. For years, if not ever since the digital transformation, we have heard that humans are the weakest links in cybersecurity. While companies must protect themselves with technologies designed to deal with increasingly sophisticated cyber-threats, they must also recognise that they still face a problem if users, for example, persist in clicking on phishing links in malicious emails.

Consequently, the security strategy must include raising – and maintaining – awareness among employees, to rid them of bad online habits and to get them to embrace security.

Establishing good habits

A solid approach to educating employees on this is very important. Not least because some may consider so-called ‘good habits’ a burden when completing tasks, while others may simply be unaware that tricks and techniques used by cybercriminals evolve over time.

Some companies have, for many years, provided guidelines for good online habits in an effort to avert cyberattacks. Yet, it’s a mixed approach. Indeed, organisations sometimes only offer training to newcomers or training is a ‘one-off’. Cyberthreats keep evolving and employees are likely to keep good practices in mind for only a limited time, therefore users must be kept on the right page through regular refresher training.

On the occasion of the FIC, some companies shared successful testimonials about methods they have put in place to increase awareness among their teams. What I found interesting were the approaches that take a personal approach: instead of relating the issue to the workplace, they relate it to employees’ internet use at home.

Making it personal

For example, they point out the potential risks of publishing some pictures online, go through how to protect personal documents in the cloud, and even outline how to connect safely to the internet while travelling abroad. As these examples concern employees in their personal lives, they are more likely to be receptive and behave online accordingly. Afterwards, these employees will adopt the same practices at work with the companies’ data, becoming a security tool and no longer a vulnerability.

As cybersecurity concerns us all, and as today’s children use connected devices more and more at a very young age, it becomes ever more important to instill safe online practice at an early age. Children have always been taught not to talk to strangers and to report inappropriate behaviour. Now, children must also be schooled on staying safe online so that they understand that cyber-criminality exists, the kind of threats they could face, and ways they can protect themselves. In Luxembourg, youngsters between nine and 12 years of age benefit from cybersecurity awareness lessons at school for a couple of hours a year. It is not much, but it is a great opportunity to start embedding good practice.

While companies deploy cybersecurity solutions to outsmart the criminals with innovative technologies such as machine learning, they should not forget the human factor. With the right approach, this can become the strongest, not weakest, link.