Awareness and training
The importance of awareness and training for employees cannot be understated. No amount of technical and procedural mitigations will help if an employee takes an insecure action (e.g., inserting a removable drive without performing an anti-virus scan) due to lack of training or awareness. External classroom and online training courses are recommended to give their employees a clear understanding.
Internal resources, such as assessment (surveys, tests) and awareness (videos, posters, emails) tools, should be used to complement external courses and provide a constant reminder to employees. Effective cybersecurity management should be a high-profile business objective that is reported on by management so that employees are constantly reminded of its importance. This must be a priority to your organization.
Effective cybersecurity management requires continuous improvement. The essential activities outlined above are only the beginning. For each of the five core functions of the Cybersecurity Framework, there are many degrees to go. For example:
- Network and equipment monitoring can be a manual activity in its simplest form, but specialty software can assist
- Third-party organizations, OSA Cybersecurity, can provide assessment services, including penetration testing, to validate the effectiveness of cybersecurity mitigations The degree of testing will depend on the level of risk perceived, and this may vary with time.
In addition, cybersecurity is continuously evolving, with new vulnerabilities, exploits, and threats arising all the time. We must continuously review your risk and adapt mitigations to suit this changing landscape.