The phrase “You are the weakest link” applies greatly to cybersecurity. You can have the most state-of-the-art home security system in the world. It becomes worthless if you are tricked into opening the front door. The human factor overrides all fancy technology. This also applies to your computer network.
You can have the latest and the greatest in security products, but you are always one click away from disaster.
Most people trust their technology. They trust their alarms to wake them up and their calendars to alert them. They trust security products as well, which they should. But even when the light is green, you should still look before you cross the street.
When hardware or software is installed and set up, it can only respond according to how it has been configured.
Human beings are much different. We can be manipulated, tricked, and fooled.
A firewall does not experience fear, or confusion, or anxiety, but people do. Our emotions and even our good intentions to want to help someone can be used against us. Social engineering as we know can be used via email, phone, text message, and even face to face to get us to open that front door.
Security awareness and training
This is vital for an organization to prevent hackers from getting a foot in the door. Many compliance packages now include this as a requirement. Everyone from the CEO to the janitor should learn about security as it pertains to their daily routine.
This involves devoting specific time to the education of all employees concerning cybersecurity and even physical security, because the two always overlap.
People who have been successfully trained in security awareness can become a source
of strength for the company. Conversely, those who are weak in learning security, or show problems in enacting learned practices can become a vulnerability to the whole.
Information security must be highly valued and become part of every company practice. Whether it is new product design, payment processing, human resources, or delivery of services, all aspects of business must come under security awareness. All improvements and company policy changes must take security into account.
Phishing email simulations
This is very effective in teaching people how to recognize and avoid fake email. Simulated phish emails are sent to some or all employees and if they fall for them, they can be made aware of it and then can review what happened and learn to spot them in the future.
As groups go through these simulations the failure rate drops as each time less and less fall for these emails. These tests are designed to instruct how to notice the warning signs of a phish email, such as strange email senders, unknown URLs, and unfamiliar links. Other things can be learned as well, like bad wording or graphics that can be a clue that the email is false.
Proper password use
Users learn not to reuse the same password for all their different accounts. Also, how to create a strong password is important. A good strategy is using a passphrase or sentence, a great way to make a secure password. The phrase being something easy to remember but hard to figure out. An example would be ‘mydoglikestoplaymarbles’ or ‘my dog likes to play marbles’ as one word. This is easy for the user to recall but almost impossible for a hacker to crack using a brute force or dictionary program.
Using the Windows, Mac, or Linux screen lock feature when away from the desk will prevent another person from viewing or accessing the workstation. Along with this is a clean desk policy, which means papers containing sensitive data must be put away when the desk is unattended, and at the end of the day.
Today anyone with a cell phone can capture information without even having to take any physical documents. Security awareness also may include a company having what is called an Acceptable Use Policy.
This is a set of rules that outlines how one’s computer, or other company owned technology is permitted to be used, and how not to be used.
An example is what websites are accessed during the workday, what devices allowed to be attached to the computer (tablets, cellphones), what personal activity is permitted if any (email, purchases online), and if data can be downloaded outside the machine via email or copied to a flash drive.
This includes locking all files or draws containing important or sensitive information. Perimeter monitoring is also key. Having secure entry points with camera monitoring will allow observance of visitors and delivery personnel. This is what makes locking down your computer so important.
A visitor may access a workstation unnoticed, especially in a larger busy office. Recently a person was hired by a major company to test their physical security. He was able to get through the lobby, past reception, and made it to a company workstation. He used just a little bit of technology, and a whole lot of social engineering.
Create Security Culture and Attitude
The goal of security awareness training is simply to achieve a secure workplace. It is more than checking off boxes on a list or passing a test. It is a change in behavior and attitude that is attuned to the dangers and threats of cyberspace.
When people have a fire drill they stop working, leave the building in a directed order, wait, and return.
They don’t spend the rest of the day thinking about how they can prevent a fire from starting, or how to safely escape one. They do their duty and then back to business as usual.
Sadly, for most the approach to cybersecurity is the same. It is another chore that their organization requires, so they do it robotically, and then move on.
What needs to be done is to instil the importance of cybersecurity into individuals and whole organizations. Showing users what is at risk is vital to show the results of a lax approach.
Training should include case studies of breaches with examples of caused damage. Educating users how a simple trick email can escalate to a billion-dollar breach can drive home how each one plays a part in security.
Most think it is the job of the IT department. “That’s computer stuff, I’m on the sales team” they’ll say to themselves. But today every part of a company is connected to the network and accesses it everyday.
Each part of the company needs to be secure. Whether purchasing supplies from vendors, or storing personal employee information, or using customer payment information, each stage in the creation and delivery of value to stakeholders is vital to the healthy life of the organization.
Each facet is necessary for daily workflow and a breach in any department will affect the whole business.
Request a free Cyber Security review of your business.