Not a day goes by without a story concerning cyber security, from phishing attacks against individuals and corporations to hacks of accounts and networks. This is a situation unlikely to change in the near future.
And the cost is not just measured in monetary terms. The theft of data or just the knowledge a system has been breached can cause tremendous reputational damage for the organisation concerned, which may outweigh the value of the theft at the time.
Organisations go to great lengths to secure their systems, but the modern criminal knows the weakest point is typically the individuals using the system and how they access it, not the system itself.
Awareness and Training
Although employees may read news stories about phishing, hacking, ransomware, viruses and identity theft, until it happens to them, they will not pay too much attention to the detail. And that’s a big advantage for the criminals. It is important therefore to train everyone to be aware of the threats and understand how to reduce the risks of a serious security breach, from top to bottom, at all levels, regardless of their access to the system or their seniority. No one is immune to attack.
The focus of any training should include cyber security best practice, which will not only highlight the dangers but offer practical advice to help each individual take responsibility for security within their organisation.
PC & Laptop Security
Most employees will have their own computer at work, or at least a personal log-on and although most will automatically lock after a period of inactivity, it’s important each user locks their computer when they leave their desk.
This helps protect the system and the individual, who could be suspected of being a party to any security breach if it is their computer or log-on that is compromised.
In a similar vein, it is essential that users do not store private or sensitive information on the desktops of their computers, or in unsecured local folders, which might bypass security checks.
Users should be reminded that if they receive an alert relating to a virus, they should immediately report it to the IT manager or IT helpdesk if they have outsourced support. These warnings must not be ignored and users must not attempt to resolve issues themselves without first ascertaining the authenticity of the message and the indicated solution.
It might seem obvious, but one of the easiest ways to protect computers and the system as a whole is to prevent users installing any software or applications that have not been specifically authorised. It can be tempting to add the latest must-have business app, or upgrade an existing version, but users should be reminded not to take any action without the IT department’s okay.
Any on-screen alerts should be read and understood, not ignored. Users again must be reminded that they must not click on alerts to get rid of them, but must notify whoever is guaranteeing the integrity of the system, whether that’s internal or a managed service provider.
Productivity concerns often leads to users leaving their computers on at night, so they’re ready to go the minute they walk in the following day. However, keeping the system secure will improve productivity and that can be helped by everyone shutting down their computer at the end of the day. This ensures any updates are automatically installed and doesn’t allow hackers a quiet 17 or 18 hours to a system endpoint.
Protecting an organisation at a time when employees expect access to their systems and data, from anywhere, at any time, using any device is a serious challenge. It is essential that mobile devices are protected with a password or a Personal Identification Number (PIN), to prevent the potential for remote unauthorised access to a system using a compromised device. An additional step that will help protect mobile devices, is for users to remember to turn off Wi-Fi and Bluetooth services when the device is not being used, which reduces the chances of automatically connecting to an unsecured or suspect network by accident.
Every year, a list is compiled of the most popular passwords that were found amongst the millions of stolen ones made public throughout the year. Based on more than 2 million results, the top two remain the same as almost every other year, being ‘123456’ and ‘password’ – all of which is depressing for those of us committed to reducing cyber-crime.
Everyone, at home and at work needs to understand how best to create and remember strong passwords, mixing characters, cases and numbers easily for a different solution to each gateway.
It’s important that users never disclose their password, even to the IT support team and regard any request for this information as suspicious. And perhaps most importantly, changing passwords must become a regular habit, with new ones created, not merely switching the same ones to different applications.
Cyber-attacks via email are of growing concern, often forming the most direct and audacious approach to stealing money and data, with many high profile cases in recent years.
Users must be warned not only to look out for suspicious emails, but made aware what constitutes a suspicious email, checking carefully the email address from which the email was sent before taking any action. Emails containing urgent information requests, requests to follow links or those with unexpected attachments and instructions to open them must all be treated with suspicion.
Recently, phishing and spear phishing emails have become a real problem for many organisations, where the content of the email adopts a familiar tone, implying personal knowledge of the organisation, personnel or a specific situation, like a property sale.
And of course it is essential that individuals and organisations have appropriate email security that’s current, patched and managed, as well as keeping up to date with the latest phishing trends and practices.
Using Wi-Fi Best Practices
It’s tempting to connect to the free Wi-Fi whenever it’s available to save data usage or get a better signal, but when doing so it’s important to identify the correct network. If in doubt, ask if there is free Wi_Fi and what the network is called, even if you don’t need a password, never make assumptions.
Criminals are more than capable of setting up their own Wi-Fi hotspot, with a name similar to that of the unsuspecting coffee shop, ready to capture all your data. Having used a public Wi-Fi network, users must ensure they log off any services they were signed into. And avoid conducting financial or corporate transactions on unsecure public networks.
Good Wi-Fi practice dictates ensuring devices forget any network to which they have been connected, to prevent future automatic connection, when the user may not be aware.
Identify Secure Wi-Fi Connections
Ideally, users operating remotely should always try to identify and use secure Wi-Fi connections. This will typically involve a host or hotspot provider granting access via a security code, once the user has identified the correct network name. Again, ask and make no assumptions.
If given a security code to access the connection, users should ascertain if the code is individual to them, or shared with everyone connecting, which might present a problem.
It is important that even when browsing the web, users understand the importance of safe-surfing. Whatever the website, the address bar should show https:// and a padlock in the browser, to signify a secure web connection.
This holds true for pages reached via links on other web pages, which may have been compromised and requires surfers to be on the lookout for any suspicious links. If in doubt, don’t click the link!
Awareness of Social Engineering
Social engineering is the term used to describe the methods cyber-criminals use to manipulate people into surrendering confidential personal and corporate information.
Criminals are typically targeting individuals to trick them into accidentally revealing passwords or bank information, or allowing access to a computer so malicious software can be installed to grant them control over the computer and possibly a route into an organisations system and even more valuable data.
It is a growing threat and organisations should ensure they warn all users to make sure their social networking profiles (e.g. Facebook, Twitter, YouTube, MSN etc.), are set to private – profiles offer valuable information for criminals to use in phishing attacks.
Users should be careful about what personal and corporate information they share online e.g. status updates on LinkedIn. In fact, organisations should warn all employees to be cautious when giving out personal information on the internet.
The golden rule is slow down. Cyber-criminals want targets to act first and think later, particularly when the message appears to come from a colleague or superior and requires urgent action. It is essential then need for security overrides high-pressure sales tactics or urgent requests for information or bank details.
It is important to remember curiosity can lead to careless clicks and if an email is unexpected, or the subject is unclear, then any links within the message should be avoided. Any phone numbers in these emails should also be avoided as criminals can easily impersonate a colleague in an organisation overseas office or even the bank.
Using Portable Media
Portable media has features heavily in stories about data theft and loss, particularly unencrypted USB drives. The fines for losing personal data of employees, prospects or customers are severe and care really must be exercises when handling such information.
In the same context, an unknown USB drive should never be plugged into a PC, laptop or mobile device. And avoid plugging any USB powered device into a public USB charging point, which despite the offer of a free charge, may have been configured to read the information on your phone or upload malware to your device.
Hopefully you will have found this a useful introduction to raising awareness about every individual’s responsibility towards cyber security within the organisations for which they work. But this list is by no means exhaustive and only scratches the surface of the complex challenge cyber security poses for organisations in the modern, always-on, interconnected digital world.
As criminals continue to be frustrated by these defences they will undoubtedly develop more sophisticated methods to steal data, identities and money, trashing corporate reputations along the way.
So, it is imperative that every organisation provides regular cyber security training for everyone within their organisation, ideally as part of their induction process, as new starters are more vulnerable to attack in this way.
It’s time to focus on the natural weak points in the system, given the efforts already made to secure the hardware and infrastructure from attack. And Quiss can help.