One of the things that automation companies are beginning to do is to plan for cyber hygiene. More and more companies are implementing automation specific awareness training for their employees. They conduct periodic exercises which like sending phishing emails to see who if you respond. They might leave USB devices around to see who's going to pick it up and use it without either reporting it or cleaning it. Companies want to make sure that the cybersecurity policies and procedures are being followed.
Informing Employees on Cyber Hygiene
Automation companies should be sending some level of information on cyber hygiene out to employees such as posters or intranet postings. These will normally communicate their expectations for employees. Uneducated employees have a high potential to introduce malware into a laptop which eventually finds its way into automation systems. You as an employee can safeguard against that. Being vigilant is very important. The other thing employers are beginning to do is awareness testing to make sure you understand the fundamentals and why it's important to follow good cyber hygiene. Then there'll be some form of revalidation on a regular basis to make sure the learning continues and that people are getting the message.
What Does This mean in Practice?
As I've said already, phishing campaigns have proven to be one of the most effective ways of attackers being able to infiltrate by obtaining passwords and sensitive account information. By raising awareness, it is possible that we can reduce down from the almost 47% to around 5% with consistent training. Ideally, we want to get it down to zero, but of course that takes time. The USB drops can test whether or not people are adhering to the portable media policies. If you find a USB lying around, then either hand it in to the relevant department or scan it to see what's on it. Define the consequences for policy violations. If you inadvertently respond to one of those phishing emails, then there might be more frequent training requirements that are done to ensure that this doesn't happen again. It'll reinforce the message to make sure that people are not tricked by phishing emails. If cyber hygiene improves overall within the company, there will be less potential of incidents. If there are any, those can be analyzed to see how can we improve things.
Adopt a Continuous Improvement Approach
Overall, the purpose of a cyber hygiene plan is to adopt a continuous improvement approach. You should be mapping out what the policies and goals should be. Then conduct the awareness training. From the planning, we go to the doing. Then we need to check. We need to look at the performance. See if we are improving and reducing potential incidents. Audits can be conducted. They will be conducted to see the effectiveness. How it's being implemented. Then the final part of this is to act. Look at the performance. Take any necessary corrective actions. Then modify the cyber hygiene policy to make it more effective.
If you would like to learn more about cyber hygiene for automation systems, check out our CS 002 self paced training course.