Making staff an effective first line of defense in data security
Connectivity is a wonderful thing that has made all of our jobs easier, but it’s also made us more vulnerable to hackers and other criminals. That’s why cybersecurity is no longer solely the province of IT professionals, but the responsibility of everyone who logs onto a web portal, uses email or simply surfs the internet at work or at home.
Although cybersecurity is now everyone’s job, organizations must ensure that everyone, from the most recent hire on up to the CEO, has the tools, training and overall awareness needed to help prevent losses from data thefts and cyber-attacks.
Start with the Basics
First, IT managers need to look at their entire operation through a cybersecurity lens. It’s no longer enough to simply make sure that all of a business’s networks remain up and running. The attack surface available to hackers increases with every new device or piece of software you add to your network, making defensive strategies and tactics indispensable.
Although you’re probably inundated with solicitations from vendors assuring you that they have the solution that will solve all your cybersecurity needs in one fell swoop, rest assured that is not the answer. It may be as exciting as plugging in a new piece of technology, but cybersecurity, like most things worth doing starts with a focus on the fundamentals.
Those fundamentals must include controlling the execution of unauthorized software through “application whitelisting” which controls any software, including malware, from executing on your endpoints without authorization. It’s also important to install software updates as soon as they are issued by the supplier – and this includes your anti-virus vendors. A tremendous number of data breaches can be attributed to not installing security updates and to overall poor patch management.
Limiting and restricting administrator privileges is an effective way to reduce insider threat risk. It also creates a more narrow attack surface from external hackers. Adopting multi-factor authentication on top of that can provide an added layer of protection to high-risk areas of the network. Malicious or non-malicious, IT administrators have the access and capabilities to potentially wreak havoc on your network.
And because things can go wrong at the most inopportune times, perform backups daily, on two different platforms and have one stored offline. The quicker you can recover data from your backups, the less likely you will suffer major business interruption.
For those outside the core IT team who may not necessarily have the same level of technical expertise and knowledge, make sure your training is up to date. Basic education on how to protect personal information and how to avoid things like phishing, but more importantly reporting incidents, can go a long way toward protecting the entire organization. Make sure this training is engaging, relevant and personal. Tick-the-box compliance training will be worth next to nothing in protecting your IT enterprise.
People May Be Your Security Chain’s Weakest Links
In many organizations, the biggest cyber risks are human-related. Many cyber scams target executive assistants or members of the finance team as these individuals usually have more privileged access and powers. The attack typically starts with either a charming or panicked email purporting to be from their CEO requesting a transfer of funds to a new bank account. Unbelievable as it sounds, there have been cases where a company has lost tens of millions of dollars, not because the criminals managed to install malware, but because they simply asked for the money, a tactic known as social engineering.
Employees in such vulnerable positions need to understand what to look out for and be alert. Criminals have been refining their techniques for years and have developed an understanding of the personality types most likely to fall victim to their schemes.
Some of the same characteristics that make someone a good team member, such as a desire to be helpful and efficient, can be used against them if they let their guard down. The first question when receiving a request from someone asking for money or information should be, does this sound like our CEO? We all have our own nuances of communication of which a cyber scammer is likely unaware. Would the CEO say “thanks” or “cheers” when speaking with their staff? Would they use a shortened version of their name “Matt” or “Matthew”?
Another common scam is to send an urgent request from a new or established vendor to release funds to a new bank account. Such a request should set the alarm bells to ringing. Employees should check the list of approved suppliers, and then call the phone number they have on file for that specific client to validate the request.
Security awareness campaigns should be developed that help your team be safe at home and at work. Good cybersecurity hygiene can and will help develop habits that carry over into the workplace. It’s important when educating employees that sufficient emphasis is placed on impact scenarios. Too many campaigns focus on what an employee must or mustn’t do, but without explaining the impact their actions can have on the wider business.
At the very least, employees need to understand what malware is and what damage it can cause, how to spot phishing attempts, and how to report them. They need to understand how to protect their browsing activities online and why they are a target.
Make sure your teams know that they always need to report anything suspicious immediately to IT or, if the company has a dedicated security team, to them.
Generally, when an attack is ongoing, it’s unlikely that a new attack entering the system via its end users is going to happen. Attackers work to gain a foothold in a company and pivot from there, it’s highly unlikely that a fresh attack from an unknown attacker at that stage is going to happen.
Current forecasts declare that 50 billion objects will be connected to the internet by 2020. To protect ourselves and those we interact with online, we must all take precautions and become good internet citizens. Regulations will only take us so far, it’s down to each individual to play their part. Cyberattacks are not going away, but we can lessen their impact by putting systems in place to protect our networks and making sure everyone is trained in how to use them securely.
A final thought for the business and IT managers: If an information or operational technology system is compromised or goes down due to a security breach it is more than an IT problem. As outlined earlier cyber risk is everywhere and security is everyone’s responsibility. IT managers must ensure that senior management understands the gravity of their cyber risk.
Business leader own this risk, they own the impact and they own the communication to customers, shareholders and other valuable stakeholders. The IT staff is only one part of the solution.