Identifying IT candidates who “get” online security means asking the right cyber security questions in the interview
As cyber attacks become more complex and the cyber security skills gap widens, it’s vital that businesses recruit IT candidates that possess the right cyber security skills.
According to our latest market research report – Under Attack: Assessing the struggle of UK SMBs against cyber criminals – a high proportion of IT Managers (45%) now say that a candidate’s lack of awareness of cyber security – and an inability to demonstrate an acceptable level of understanding - would impact their chances of being hired.
But just what level of understanding should businesses be looking for? What cyber security questions should IT managers be asking potential IT employees during the interview stage?
In this blog, we’ll take a look at the cyber security questions that businesses should ask IT candidates in the interview process.
1. “Do you use strong passwords and change them regularly?”
Password management continues to be a challenge for most businesses. An article by TechRepublic highlights that 25% of employees use the same password for every enterprise system they access on a regular basis. So if cyber criminals can gain access to just one employee account, they can most likely access that employee’s other accounts too.
If employees use public Wi-Fi networks to connect to the business’ enterprise systems, any information transmitted and received whilst on the public network, including highly sensitive login details, is visible to cyber criminals. Cyber criminals can then use that employee’s credentials to access other tools or even the employee’s email account to conduct spear phishing attacks.
Therefore, candidates should – at a minimum – use different passwords for their accounts (whether business or personal) and ideally some form of password management software or two-factor authentication to mitigate unauthorised access.
This first cyber security question will help to determine which candidates understand the necessity of strong and complex passwords and how they can keep a business protected.
2. “Do you use a VPN whilst on public Wi-Fi networks?”
According to Symantec’s Norton Wi-Fi Risk Report – in which 15 global markets were surveyed – 53% of survey respondents couldn’t tell the difference between a secure or unsecure public Wi-Fi network. In addition to this, 75% of those reviewed don’t use a virtual private network (VPN) to secure their Wi-Fi connections on these networks.
Considering how easy it is for cyber criminals to access public Wi-Fi connections and siphon data from connected devices, hiring managers must look out for candidates that understand the importance of encryption and privacy tools on these networks.
If a candidate doesn’t use a VPN, at the very least they should understand why it’s necessary on a public Wi-Fi network. If they don’t, there’s a good chance that when they work remotely they’ll unknowingly expose important business data to cyber criminals.
3. “How often do you install updates and patches for software?”
The answer should be: as soon as possible.
However, despite high-profile cyber attacks like WannaCry and Petya highlighting the importance of regular software updates and patches, many business employees still neglect this critical activity.
The fact is that not updating software or security infrastructure is essentially the same as living in a house with no locks on the doors.
On that basis, businesses should be looking for candidates that regularly download and install software updates as and when asked, rather than those who opt to snooze updates or have to be reminded to install them months later.
Software updates and patch management is a necessary evil – so asking this cyber security question during the interview will help hiring managers to identify candidates who care about and value security.
4. “Tell us about some common forms of cyber attack”
This is perhaps one of the most important cyber security interview questions to ask. If a candidate isn’t aware of the different kinds of cyber attack – how will they protect themselves and the business against the emerging threats?
Responsibility for the business’ cyber security lies with everyone, not just the business’ cyber security expert. It only takes one employee to unknowingly click on a suspicious link or download a strange file to create vulnerabilities which cyber criminals can exploit.
IT candidates should, therefore, know about the most common forms of cyber attack: denial-of-service, man-in-the-middle attack, phishing and spear phishing attacks, malware attack, and zero-day exploits. There are other types of attacks, but they are typically not as common as cyber criminals rely on business employees making mistakes or failing to rectify vulnerabilities in software.
As an addition to this cyber security question (to really test candidates) hiring managers should ask candidates to explain how they would identify a cyber attack or protect against one. Ideally candidates should refer to creating a multi-layered network of internet security, if they are to demonstrate an adequate level of cyber security awareness.
5. “How do you keep up to date with cyber security news, trends and best practice?”
The unpredictable nature of cyber attacks makes it an ongoing challenge for businesses – let alone individuals – to keep up with cyber security.
New information regarding the protection of data and systems is released on a regular basis, and while some of this information is useful, all of it has an increasingly limited shelf life.
And with updates so frequent, there is a group of individuals who will fall behind – by default or refusal to keep up – instead waiting for more industry wide changes. The inherent problem here is that they miss out on pivotal information.
Therefore hiring managers should ask candidates just how they keep up with those changes and trends – whether they follow security professionals and influencers on social media, attend cyber security events, are active on cyber security forums or blogs, and/or listen to cyber security podcasts.
Candidates that do some of or all of the above are nothing short of gold dust for businesses looking to enhance their cyber security. These candidates can also share their knowledge and expertise to others in the business, helping to raise cyber security awareness.
Asking the above cyber security questions during the interview process will help businesses to gauge candidates’ level of cyber security awareness. If a foundation has already been laid – in that candidates know the basics, keep themselves informed and use some form of online security – businesses can be confident that those employees will follow policies and processes, and help others in the business to understand cyber security.
If you want to find out more about the current state of cyber security and how small businesses are affected in particular, download our free Market Research Report by clicking the button below.
Privatise’s online encryption solution is the first internet privacy protection tool developed specifically to meet the practical needs of small and medium businesses.