We've all heard the stories about cyber criminals dumping thumb drives loaded with malicious code in employee parking lots waiting for one to be picked up and plugged into a work computer - it's gotten to the point where it's a TV show trope!
And yes, of course, one certainly hopes your staff would be suspicious of any such thing and refrain from plugging it in, but the reality is most breaches occur in other ways...
With the ability for hackers to establish a beachhead in your business with little to no effort simply by leveraging the existing lines of communication everyone uses every day, security awareness training of your employees about current security threats, company security policies, and the personal role each plays in keeping your business safe from cyber threats is essential.
Unfortunately, many businesses don’t know where to begin development of a program or what areas they should focus priority on. With so much to know and the many paths you can take, we understand the potential confusion, and we're here to help. Together, we can get your employees up to speed on the basics of security awareness or augment an existing program with additional education and guidance on good employee security policy and how it relates to the work streams of your business.
Here’s a peek at some must-haves as part of any good program:
- Phishing and social engineering
- Passwords and network access
- Device security
- Physical security
Phishing and Social Engineering
Social engineering is an attack that happens when a user is deceived into divulging information. Phishing, which is an attempt to get sensitive information like passwords and credit cards from someone through email or chat, is a common social engineering attack.
Why are phishing and other social engineering attacks so successful? Because they appear to come from a credible source, deceiving you into thinking it’s a piece of communication you can trust. While there can be tell-tale signs of a phishing attempt include typos, links containing a string of random numbers and letters, an odd sense of urgency, or a simple feeling something is amiss about the information being requested, the truth is that nowadays AI-driven phishing campaigns will self-train on writing examples gleaned from breaches in other systems, such as your vendors and customers, so even these subtle clues may not be present!
If a user feels something isn’t quite right, they should never click on a link or attachment or give out sensitive information. Employees should have a process in place for informing the right person or department in a timely manner if they believe they are receiving malicious email communications. If one employee is being targeted, it’s likely many others are, too. Alerting the right staff in a timely manner is critical for preventing a phishing scam from entering the network and spreading company wide. It is also imperative that there be an established protocol for an alternate means of verifying any communication (re)directing finances of any kind, from employee gift cards to vendor payments, e.g. by phone.
Passwords and Network Access
Similarly, employees should be following best practices when it comes to passwords they’re creating, especially for passwords used to access IT environments. For many industries, enforcement of password policy is a compliance requirement. In general, passwords should be unique to each application and information source, at least nine characters, contain letters and special characters, and stay away from obvious information like names and birthdays. (Best is to use a password manager that can generate extremely long and random passwords and keep track of them.) Further, whenever possible passwords should be augmented by some form of two-factor authentication, preferably a hardware key or a dedicated application as SMS and email are frequently compromised nowadays.
This may be less obvious, but employees should also be wary of network connections used outside of their home or work. It's generally best to assume nowadays that any non-company network (coffee shop, hotel, home wifi etc) has one or more compromised devices, which puts all data exchanged on that network at risk. Use only a trusted network connection or secure the connection with appropriate VPN settings.
In an era where more and more personal devices operate within the workplace, employees must understand the potential security risks of connecting to the enterprise network from their shiny new phone or tablet. The same threats posed to company desktops and laptops also apply to personal devices. Ideally, you will work with employees to ensure they have the means to securely access resources from their own device, but they should always be mindful of the websites they’re browsing, the applications they are installing, and the links they’re clicking on.
Cyber threats aren’t the only risks to be mindful of. Physical security also plays a role in keeping sensitive information protected. How often do employees mistakenly leave a mobile device or computer unattended? It happens to all of us. But, if someone were to swipe an unattended phone or log in to sensitive assets from a connected network session, all of your data could immediately be at risk.
This is an area of security often overlooked and in need of a good refresher, especially with so many employees now accustomed to working from home and out of practice with good office security measures such as:
Locking all devices. Employees should re-establish the habit of doing this every time they leave their desk.
Locking their docs. Sensitive materials should be stored in a locked cabinet and not left sitting on an open access desk.
Properly discarding info. When throwing away documents, users should be sure not to place sensitive papers into a general trash bin. The company should have a policy and process in place for appropriate and secure removal of such files.
Ready to get started? We’ve got you covered. Give us a call, and let’s chat about your employee security awareness needs.