How to identify high security risks in your organisation

Posted by Brett Lodge on 01 June 2021 10:52:08 ACST
Find me on:

With the recent news on JBS Foods, the world's largest meat processing company, having fallen victim to a cyber-attack1 that led to a shutdown of its production facilities worldwide, the conversation on cyber-security and the steps that businesses need to undertake to ensure 'lights remain on' needs to be at the top of the stack. At Subnet, our focus continues to be on educating and implementing proactive solutions that secure businesses' IT operations from external threats and internal incidents. In this blog, the fourth in the series (see links to the previous in the footnote), we touch on the measures that businesses need to implement to secure employees working from home.


The emergence of the work from home culture during 2020 has significantly improved employee engagement while sustaining and in some cases improving productivity. However, the cost of doing business from home is a heightened cybersecurity risk because employees are no longer working behind the protection of the corporate firewall. They are often connecting through unsecured Wi-Fi networks and using unsecured endpoint devices that may directly or inadvertently interact with corporate systems.


A large portion of security breaches within organisations are the result of human error; however, not all employees are high risk. While most people will try to do the right thing when it comes to organisational security, they may be caught out due to increasingly sophisticated and highly targeted phishing or ransomware attacks. This includes rising numbers of state-based attacks that can be directed through unsuspecting employees. There is also a small percentage of individuals who will intentionally and maliciously target the organisation from the inside.


Identifying and containing risky users and devices is crucial to building a strong security posture. There are three ways to identify high security risks in your organisation:


  1. Use cyber awareness training to determine which employees are high risk

Cyber awareness training plays a crucial role in an organisation’s security posture. Employees will always be the organisation’s greatest strength and weakness when it comes to protecting intellectual property. However, cyber awareness training has a much broader role than purely employee education. It can be used to help the organisation prioritise cybersecurity threats based on the employee response to training. For example, if all employees complete cyber awareness training and are assessed at the end of the training program, yet only 50 per cent pass the assessment, the organisation can provide focused support for individuals and topics that require more attention. If employees are choosing not to engage, or are underperforming, in cyber awareness assessments, this can also signal to the organisation that these individuals are a higher security risk. More regular, short and engaging cyber awareness training also helps keep cybersecurity policies up to date and provides a foundation for the organisation to proactively assess employee readiness ahead of any potential cyberattack.


  1. Conduct a security audit

A comprehensive audit of programs, applications and devices lets the organisation effectively consolidate IT infrastructure, while also identifying software and applications that have the potential to compromise the organisation’s security posture. The audit must consider applications and programs in isolation as well as how they interact with other applications and end users. For example, an anti-virus solution that isn’t compatible with legacy software may malfunction and result in a significant security vulnerability for the organisation. Engaging a trusted, independent third party to conduct an IT security audit benefits the organisation by identifying gaps or non-compliance in current IT systems and practices that could be missed by in-house teams. The audit can provide guidance on IT tools and employee training that is needed to close gaps, as well as identify programs that may no longer be relevant to the organisation yet still generate direct or indirect costs for the business.


  1. Conduct regular de-weaponised phishing simulations

Gamification is a reliable way to determine organisational risk because it shows exactly how employees respond during a potential cyberattack. Targeted phishing and ransomware attacks will continue to impact employees and their organisations into 2021 and beyond. The best defence is to familiarise employees with the type of attacks they may face and review their interactions with de-weaponised simulations. This way organisations can determine where to focus cyber awareness training efforts.


In addition to employee training, organisational audits and gamification, threat intelligence is crucial to identifying security risks within the organisation. There are seven essential elements that are required in IT security reporting. Read our tip sheet to learn these seven elements. To identify current cybersecurity risks in your organisation and how to address them, contact the Subnet expert team today.

Read the other blogs in this series -

Part 1 - Five signs that your organisation is at high risk of cyberattack 


Part 2 - Three low-cost ways to secure your organisation online


Part 3 - 3 key ingredients needed to secure organisations


1 Cyber attack shuts down global meat processing giant JBS - https://www.abc.net.au/news/2021-05-31/cyber-attack-shuts-down-global-meat-processing-giant-jbs/100178310

Topics: Security, Cybersecurity