Hint: it has little to do with the technology. Rather, it is the action—or inaction—of their employees.
My last few blogs have featured cyber security quite heavily, and I thought a roundup of what I’ve been discussing might be useful in case you missed the previous ones.
Human error has become a major weak point today; one that is easily exploited by cyber criminals. In fact, almost 90 percent of cyber attacks are caused by human error or behaviour. Therefore, it’s vital that businesses have some form of cyber security training in place to educate employees. This will emphasise the importance of protecting sensitive information and what malicious threats to look out for.
As an IT services provider committed to protecting our clients and their business, the task of security education and training falls into our hands. Keep reading to discover which essential elements we cover when providing security awareness training.
Generally, a solid security awareness training program should cover the following topics:
- Phishing and Social Engineering
- Access, Passwords and Connection
- Device Security
- Physical Security
Let’s dive into how we best educate clients and their end-users on each of these topics.
Phishing and Social Engineering
Social engineering is typically defined as an attack that’s based on deceiving users or administrators into divulging information. Phishing is an attempt to acquire sensitive information (passwords, usernames, payment details) from an individual. This can be through email, chat, or other means, and is a common type of social engineering attack.
Phishing and other social engineering attacks are so successful is because they’re disguised to look like they come from credible, trustworthy sources. This provides a sense of falsified trust. But there are some tell-tale signs to help spot a phishing attempt, such as:
- typos and misspellings
- links containing a string of random numbers and letters
- the email relying on a sense of urgency
- the feeling like something is off about the information they’re requesting
How to Avoid Phishing and Social Engineering Attacks
What should you do if you think you’ve come across a phishing scam? Here are some best practices:
- Don’t click! Users should never click on a link, attachment, or reply with the requested information if they feel like something is not quite right.
- Inform your IT team or MSP. If it’s a legitimate scam, informing the right people and passing along that knowledge may help prevent it from spreading company-wide. Encourage your colleagues to forward the email to your IT Team or MSP to investigate.
Access, Passwords and Connection
Your IT Team or MSP should use this time to go over the different aspects of the network; from access privileges and passwords, to the network connection itself.
On a similar note, employees should be thinking about the passwords they’re using to access the IT environment. Keeping in mind length, complexity and whether or not they’re sharing those passwords or using them for multiple apps. There are a few best practices around strong passwords, including the length being at least eight characters, containing letters and special characters, and staying away from obvious information such as names and birthdays. Additionally, it’s wise to think about changing and/or updating your passwords every six months or so.
What sometimes is least obvious to employees is that they should also be wary of the network connections they’re using outside of their home or work. Although the data on their device may be encrypted, it’s not necessary that the connected network transfers that data in an encrypted format, therefore opening all sorts of vulnerabilities. What’s more, there’s always risk of the public network being tapped, which puts the data being exchanged over that network at risk. You should encourage your employees/colleagues to only use trusted network connections or secure the connection using appropriate VPN settings.
Device Security
In the era of Bring Your Own Device (BYOD), more and more mobile devices are entering the workplace, connecting the corporate network and accessing company data. However, this creates even more entry points for threats to come through. Therefore, it’s important for employees to ensure their mobile devices are securely connected to the corporate network and always in their possession.
The same threats that lurk over desktops and laptops are applicable to mobile devices. Tablets and smartphones could even be seen as less secure because they lack pre-installed endpoint protection. Users should always be mindful of which websites they’re visiting, which apps they’re installing, and which links they’re clicking on.
Physical Security
Cyber threats aren’t the only one’s employees need to look out for. Physical security also plays a role in keeping sensitive information protected. Leaving a mobile device or computer unattended is a common mistake most end users end up committing unintentionally. If someone were to swipe an employee’s phone or log into their computer, all the data and information that’s accessible via that device is put at immediate risk.
Below are a few best practices to help you increase your physical security in and out of the office:
- Lock your device before you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or the Power key) at the same time.
- Store documents in a locked cabinet. Employees should avoid having sensitive information floating around on their desk. At the end of the day, or before they leave their desk unattended, it’s always a good idea to stow company documents and the like into a lockable safe or cabinet.
- Properly discard information. When it comes time to get rid of those documents or files, be sure to properly shred and discard them.
If you would like to know more about our Managed IT Support offering, including our Security packages please visit us here.