September is time for back to school and back to business! This is a great time to get serious about training your employees to understand their role in helping a business or organization stay safe.
Cyber criminals are always finding new ways to gain access to a network. Did you know that cyber criminals have dumped thumb drives loaded with malicious code in employee parking lots waiting for one to be picked up and plugged into a work computer? Cyber criminals actually do crazy stuff like this to gain access to networks. Unfortunately, studies have found that 60% of people will do just that! Imagine a thumb drive with the words “payroll data” lying on the ground – would one of your employees be tempted to take a peek?
There’s a lot of money in cyber crime, mostly fueled by the anonymity of crypto currency (Bitcoin) payments. Just this summer Peterborough, NH, was scammed out of $2.3 Million dollars in a phishing email, the Steamboat Authority in Massachusetts, which runs the Martha’s Vineyard Ferry, was hit by a ransomware attack, and the Boston Public Library was hit with a ransomware attack. There’s no such thing as 100% security, and technology alone isn’t enough to prevent attacks. Employees should be made aware of the risks and threats they face on a daily basis and how to avoid them.
With the ability for hackers to establish a beachhead in your business with little to no effort, security awareness training of your employees about current security threats, company security policies, and the personal role each plays in keeping your business safe from cyber threats is essential.
Unfortunately, many businesses don’t know where to begin development of a program or what areas they should focus priority on. Cybersecurity is in the news almost daily, and with so much to know and so many paths you can take, we understand the potential confusion. Ekaru is here to help! Together, we can get your employees up to speed on the basics of security awareness or augment an existing program with additional education and guidance on good employee security policy and how it relates to the work streams of your business.
Here’s a peek at some must haves as part of any good program:
- Phishing and social engineering
- STRONG Passwords and network access
- Device security
- Physical security
Phishing and Social Engineering
Social engineering is an attack that happens when a user is deceived into divulging information or clicking on a bad link. Phishing, which is an attempt to get sensitive information like passwords and credit cards from someone through email or chat, is a common social engineering attack. These are typically fake emails that appear to come from a legitimate source such as a boss or bank, but are actually malware programs trying to steal their credentials.
Why are phishing and other social engineering attacks so successful? Because they appear to come from a credible source, deceiving you into thinking it’s a piece of communication you can trust. Tell-tale signs of a phishing attempt include typos, links containing a string of random numbers and letters, an odd sense of urgency, or a simple feeling something is amiss about the information being requested. Some of these emails are very easy to spot, and some are very well crafted to avoid detection.
If a user feels something isn’t quite right, they should never click on a link or attachment or give out sensitive information. Employees should have a process in place for informing the right person or department in a timely manner if they believe they are receiving malicious email communications. If one employee is being targeted, it’s likely many others are, too. Alerting the right staff in a timely manner is critical for preventing a phishing scam from entering the network and spreading company wide. Keep in mind that sometimes nothing will seem out of place with the email - maybe its the holiday season and you ARE purchasing multiple gift cards.
STRONG Passwords and Network Access
Similarly, employees should be following best practices when it comes to passwords they’re creating, especially for passwords used to access IT environments. For many industries, enforcement of password policy is a compliance requirement. In general, passwords should be unique to each application and information source, at least twelve characters (up from the previous recommendation of eight), contain letters and special characters, and stay away from obvious information like names and birthdays. Further passwords should be updated every 90 days and never stored on sticky notes affixed to monitors or keyboards or shared with other employees. Needless to say, it would be almost impossible for anyone to memorize all these passwords, and we strongly advise using a business-class password management system.
This may be less obvious, but employees should also be wary of network connections used outside of their home or work. Even if data on their device is encrypted, it’s not necessary that a connected network transfers that data in an encrypted format, which opens the door to many different vulnerabilities. Plus, public networks may be tapped, which puts all data exchanged on that network at risk. Use a trusted network connection or secure the connection with appropriate VPN settings. Employees should be mindful of the potential security ramifications when logging onto company resources from their local coffee shop’s network. Use your mobile phone hot spot as an alternative.
In an era where more and more personal devices operate within the workplace, employees must understand the potential security risks of connecting to the enterprise network from their shiny new phone or tablet. The same threats posed to company desktops and laptops also apply to personal devices. Ideally, you will work with employees to ensure they have the means to securely access resources from their own device, but they should always be mindful of the websites they’re browsing, the applications they are installing, and the links they’re clicking on. Consider setting up a guest network so that employees can enjoy WIFI access at work for their personal devices, without actually connecting to the company network.
Cyber threats aren’t the only risks to be mindful of. Physical security also plays a role in keeping sensitive information protected. How often do employees mistakenly leave a mobile device or computer unattended or left behind in a taxi or restaurant. It can happen to anyone. But, if someone were to swipe an unattended phone or log in to sensitive assets from a connected network session, all of your data could immediately be at risk.
This is an area of security often overlooked and in need of a good refresher, especially with so many employees now accustomed to working from home and out of practice with good office security measures such as:
- Locking all devices. Employees should re-establish the habit of doing this every time they leave their desk. Hitting the "Windows" key + L will automatically lock your system. Get in the habit of doing this EVERY time you leave your system. Using a laptop? Consider laptop physical locks for high traffic areas.
- Locking their documents. Sensitive materials should be stored in a locked cabinet and not left sitting on an open access desk. Practice a "Clean Desk" policy.
- Properly discarding information. When throwing away documents, users should be sure not to place sensitive papers into a general trash bin. The company should have a policy and process in place for appropriate and secure removal of paperwork. Old computer systems should have their hard drives shredded. Check with your local shredding company, or join us for one of our Electronics Recycling events.
Ready to get started? We’ve got you covered. Give us a call at 978-692-4200 or send us an e-mail at firstname.lastname@example.org, and let’s chat about your employee security awareness needs. Still in the process of learning more? Please come back to our website or join us for an upcoming training session.