Bogdan Botezatu, senior e-threat analyst at Bitdefender, shares his top tips on how to kick off a cybersecurity training programme.
Human behaviour will always represent a weak link in the cybersecurity chain. Even an organisation with the best security tools in place will always be vulnerable, to a certain extent, to human error.
IT leaders should therefore ensure that a sizeable chunk of security budget is allocated to training, so that you can be confident your employees know how to identify and avoid common cyber threats such as spear-phishing attempts, how to handle company data, and how to identify social engineering techniques.
For employees, who work outside the IT department, in particular, endless powerpoint presentations and lectures are not necessarily the best way to develop cybersecurity awareness — the danger is that they will just switch off.
If you do not want your employees to go back to routine and forget about cyber dangers, you need to think about incorporating real-life training exercises. This could help to show how cyber threats occur in real-time and affect daily operations. This may seem like a daunting task, where do you begin to with the knowledge transfer and what really matters?
When a password becomes a skeleton key
For employees, password managers solve the problem of trying to remember multiple passwords, but from an enterprise perspective they are not always the most secure method of authentication. Not that long ago, OneLogin, a password manager app, was hacked. Other popular apps also proved to have a lot of vulnerabilities that could open backdoors to your company’s precious data.
Staff should be encouraged to always enable two-factor authentication where possible, and make sure that passwords are at least 16 characters long and complex enough not to be easily guessed using available online information.
In fact, Bill Burr, a former manager at the US National Institute of Standards and Technology (NIST) who drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A” — has recently changed his mind on how to set up passwords. He now suggests that people create long pass phrases rather than gobbledygook words with symbols, capitals and numbers. We agree with this advice.
A peculiar email for a peculiar victim
Employees of all levels and skillsets can potentially be corrupted or targeted by cyber criminals, so limiting permissions and avoiding instances of Shadow IT can minimise the number of exit points for critical data.
That is why imposing stricter control and restricting employees from installing any unsanctioned software on their endpoint devices could prevent a number of accidental attacks from slipping through your safety net. Keep in mind, this still has to be done within the framework that your organisation‘s IT needs to remain flexible. But flexible does not have to mean unsecured.
Specially crafted emails
By researching their victims online (doxing), attackers are able to craft emails that include detailed information either about the targeted individual or the company. The more accurate the information, the less likely it will be to arouse suspicions from its intended target.
Educating your employees about phishing and newly occurring social engineering techniques is highly recommended. Email filtering and security solutions should also be employed, as they can spot fraudulent URLs and malicious attachments.
It is inevitable for employees to travel due to work commitments, which creates another major threat to the organisation. Employees working remotely face quite a few issues that could compromise a company’s security. For instance, connecting devices to public charging points or using unsecured Wi-Fi networks can look quite innocent, until the device you gave to your employee is infected with malware and all your company’s data is now available to intruders.
These examples are only a few that employers needs to talk about with employees who take their work outside the office’s four walls. Regardless of the location, employees should always focus on securing their locally stored data, data accessed via cloud platforms and their connection to the office.
As an example, a cyber-crime group called DarkHotel has been operating an advanced scheme aimed at executives and R&D staffers to get hold of intellectual property by compromising hotel Wi-Fi networks. If this happened to your employee, cyber criminals could potentially steal your company’s information and gain a tactical advantage over your whole business.
Seeing the business as a whole
It is vital to understand that your business’ data now resides across an entire network of endpoint devices, as well as traditional IT infrastructures. Each connected device can be a potential weak link, and a small unnoticed vulnerability can cause a great danger to the whole business.
Bring your own device (BYOD), mobility and cloud have not only transformed work through improved flexibility, but also vastly increased the number of entry points that could be used by criminals to gain access to company’s data. As penetration of IoT devices in industry grows, so will the threats posed to security by their unauthorised deployment and use. Personal IoT devices will also increasingly get carried across traditional security boundaries by employees, compounding the issues.
Intellectual property, payment information and customer data are the most important assets for any company. Exposing any of these will result not only in the loss of business but also an irreparable loss of reputation.
Companies should have a clear and comprehensive cybersecurity policy in place, and communicate it effectively across the business. An, in this instance, you must educate your employees that each smart device can act as a gateway to company data. Sending around a lengthy document to explain this will not suffice, you have to engage employees on the topic.
Ticking off the security list
It’s vital for companies to identify their mission-critical data and secure it from attackers and advanced threats. Only those who apply a layered security approach, can allow employees to work from home without the fear of having eavesdroppers listen into their connection or missing the potential indicators of a breach.
Also, unsecured connections could be addressable via VPN links, and data encryption — and full-disk encryption technologies in particular. There should also be a good knowledge of the legal aspects regarding data storage, data retention and data manipulation.
However, the biggest threat is the lack of education. Just making employees watch a video or listen to a powerpoint is passive and ineffective. People tend to forget boring information even more quickly than other things. Security isn’t something deployed once and then forgotten about it.
It should be a continuous process that’s tailored to each organisation’s line of business, requirements, and needs. Therefore, putting your employees through real-life breach scenarios, such as sending fake phishing emails to your employees as a test, can really help with preparedness and alert them to think about each step they make.