Have you heard tales of cybercriminals dumping computer drives loaded with malicious code in business car parks, waiting for one to be picked up and plugged into a work computer? Sounds ridiculous? Well, unfortunately, it has happened.
It’s easy for hackers to get a foot into your business with little to no effort. As a result, security awareness training of your employees about current security threats, company security policies, and the personal role each plays in keeping your business safe from cyber threats is essential.
Unfortunately, many businesses don’t know where to begin the development of a program or what areas they should focus priority on. With so much to know and paths you can take, we understand the potential confusion. Here are some must haves as part of any good cybersecurity training program:
- Phishing and social engineering
- Passwords and network access
- Device security
- Physical security
Phishing and Social Engineering
Social engineering is an attack that happens when a user is tricked into giving away key information. Phishing, which is an attempt to get sensitive information like passwords and credit cards from someone through email or chat, is a common social engineering attack.
Why are phishing and other social engineering attacks so successful? Because they appear to come from a credible source, making you think it’s from a trusted source. Signs of a phishing attempt include typos, links containing a string of random numbers and letters, an odd sense of urgency, or a simple feeling something is off about the information being requested. For more information, here’s what you need to know about phishing.
If a user feels something isn’t quite right, they should never click on a link or attachment or give out sensitive information. There should be a process in place for informing the right person or department promptly if they believe they are receiving malicious email communications. If one employee is being targeted, it’s likely many others are, too. Alerting the right staff promptly is critical for preventing a phishing scam from entering the network and spreading company wide.
Passwords and Network Access
Employees should be following best practices when it comes to passwords they’re creating, especially for passwords used to access IT environments. For many industries, enforcement of password policy is a compliance requirement. Passwords should be unique to each application and information source, at least eight characters, contain letters and special characters, and stay away from obvious information like names and birthdays. Further passwords should be updated every 90 days and never stored on sticky notes affixed to monitors or keyboards or shared with other employees.
This may be less obvious, but employees should also be wary of network connections used outside of their homes or work. Even if data on their device is encrypted, it’s not necessary that a connected network transfers that data in an encrypted format, which opens the door to many different vulnerabilities. Plus, public networks may be tapped, which puts all data exchanged on that network at risk. Use a trusted network connection or secure the connection with appropriate VPN settings. Employees should be mindful of the potential security ramifications when logging onto company resources from their local coffee shop’s network.
In an era where more and more personal devices operate within the workplace, employees must understand the potential security risks of connecting to the enterprise network from their shiny new phone or tablet. The same threats posed to company desktops and laptops also apply to personal devices. Ideally, you will work with employees to ensure they have the means to securely access resources from their own devices, but they should always be mindful of the websites they’re browsing, the applications they are installing, and the links they’re clicking on.
Physical security also plays a role in keeping sensitive information protected. How often do employees mistakenly leave a mobile device or computer unattended? It happens to all of us. But, if someone were to swipe an unattended phone or log in to sensitive assets from a connected network session, all of your data could immediately be at risk. With more staff working away from offices, this has never been more important.
This is an area of security often overlooked and in need of a good refresher, especially with so many employees now accustomed to working from home and out of practice with good office security measures such as:
- Lock devices. Employees should re-establish the habit of doing this every time they leave their desks. Have you thought about setting up an auto lock?
- Lock documents. Sensitive materials should be stored in a locked cabinet and not left sitting on an open access desk. Do they need to be printed in the first place?
- Discard properly. When throwing away documents, users should be sure not to place sensitive papers into a general trash bin. The company should have a policy and process in place for appropriate and secure removal of such files. What needs to be shredded?
If you’re concerned about cybersecurity in your organisation, have a chat with one of ACUTEC’s friendly consultants today.