When it comes to security, business leaders of course invest in door locks, proper outdoor lighting and perhaps even a security guard on-site.
When their security focus turns to data, they will install firewalls, antivirus, anti-malware and perhaps other layers of protection, all while overlooking the most important aspect of their breach protection plan: their employees. Why are employees your greatest cybersecurity threat and what can organizations do about it?
It is simply not enough for employees to update passwords regularly (indeed, there is a growing school of thought which advises against overly-frequent changes). Your workforce needs understand both how a breached system affects them directly and what today’s attacks look like.
To this end, your IT team should not only work with HR to develop cybersecurity training that will breed a culture of compliance, it should make use of a solution that learns from the ever-evolving threat landscape to provide the most current training possible.
Here are a few of the issues that need to be addressed:
Impact on the Company of Downtime and Breaches
Explain in the clearest terms how downtime in the company network affects everyone. Use examples such as ransomware or spear phishing attacks in which your business could lose data or network access – thus affecting not only the ability to conduct business but your organization’s reputation with customers, as well.
Lack of Awareness
Simple though it may sound, regular training and reiteration of concepts like having strong passwords, proper storage of customer information, use of locking drawers or file cabinets, how the company uses multi-factor authentication and data access principles should be ongoing practices.
In addition, all personnel should know how to properly dispose of drives, reports, etc. when they are no longer pertinent. Last here is the need to inform employees of the importance of system/software updates for approved BYOD mobile phones and other devices, just like the company regularly updates its own network (or should, perhaps with the help of an MSP like Cynexlink).
**NOTE: Interested in learning about Cynexlink’s cybersecurity training and how we implement this low-cost, high-impact solution on behalf of clients? Download our information sheet here.
Hazards of Using Unsecured Networks
This is particularly problematic with BYOD environments including commuting vehicles (e.g., the train and subway), cafés, etc. which typically offer only unsecured networks. Your employees need to be aware that all online activity conducted on such networks can be visible, putting devices and sensitive company information in peril.
To minimize this risk, explain the difference between using HTTP and HTTPS prefixed sites – the later carries encryption protocols – on any device (laptop, smartphone, etc.) used for work-related activities and help them understand which work is best left to be performed only on secure networks. Better yet: create a VPN for your remote employees for use in such environments.
Another off-site peril comes from juice jacking, in which a hacked wireless charging port can allow cybercriminals to record what is being written or watched on a device as well as download programs to said device.
IoT (Internet of Things): a Door to System Access
With the growing complexity of the business operating environment, you may find you have manufacturing equipment as well as simple office equipment such as printers connected wirelessly to your server. These additional pathways offer opportunities for an employee to involuntarily undermine your security by tapping into equipment not meant to be part of their peripherals.
In order to minimize this risk, have your IT team set up not only different passwords for this equipment but different router levels, as well, which prevents certain devices from ever ‘seeing’ other devices they shouldn’t. Turning off equipment when not in use will help to mitigate cross-system access as well.
These steps can also help prevent an unintended internally produced Denial of Service (DoS) attack or Distributed Denial of Service Attack (DDoS) in which equipment or websites crash from an overload of demand.
Proper Access Management
Always keep in mind that a disgruntled employee with critical system access can pose a threat to your business. We see a lot of companies, particularly smaller or early-stage orgs in which certain key employees wear many hats, that are incredibly loose about providing admin access to network systems and related SaaS services, as well. Think like a larger organization and create a plan for the proper granting of system access from day one, a plan that by definition also includes the ability to quickly revoke such access at any time.
Aim to Create a Cybersecurity-Focused Culture
Don’t forget, your IT team consists of all your employees. To this end, think about the cybersecurity culture you want to create. For instance, have your IT team start broadly sharing new concepts learned at trade events, which can keep lines of communication open between departments and can help your staff understand new threats and preventive actions they can take before your business is targeted.
Coming full circle, employee cybersecurity training is a powerful ally in creating a security-minded culture. We are constantly amazed at how quickly phishing simulations expose weak users, then bring about a huge decrease in harmful actions. When employees become aware they might get tricked by one of the boss’s training emails, they become wary of all of them.
This is exactly the kind of mindset you want to create because keep in mind: the mishandling of malicious emails is still the number one cause of data breaches worldwide.
Contact us for help, if needed, and be safe out there!