When security breaches make U.S. headlines, they’re often about cyber criminals in another country or a disastrous glitch with technology. What doesn’t get covered by the stories is that these breaches are increasingly a result of an action taken by someone on the inside. In fact, last year’s IBM Cyber Security Intelligence Index reported that 60% of all cyber attacks were carried out by company employees.
Today, every worker has the potential to be a threat, and companies are only as strong as their weakest link. To combat issues within your IT environment it’s important to take the proper precautions, including educating all staff members so they are prepared to assist in keeping computers and networks safe. This approach applies to companies of all sizes, regardless of industry. Here are five tips to follow:
- Talk to all employees about cyber security. Training your workers is a critical element of security. Everyone, from upper management to administrators, needs to understand the value and their role in protecting private customer and company data. Most importantly, they need to know the policies and practices to follow in the workplace regarding Internet safety. Among the key steps everyone should take are:
- Keep a clean machine: What programs can or cannot be installed. Unknown third-party programs can bring security vulnerabilities onto your network.
- Create a strong password: Passwords should be updated regularly, stored in a safe place away from your computer, and meet all authentication terms, including special characters, capital letters, and numbers.
- Back up all work: Employees should be encouraged to take a proactive step and back up all their work on a regular basis to an outside server. This will limit the damage caused by a data breach.
- See something, say something: If something strange is happening on an employee’s computer, make sure they are comfortable with reporting a problem to the IT team.
- Set quarterly meetings to discuss new & existing cyber security formats. With new employees starting work at any time, and updates with online technologies becoming available almost daily, cyber-security training should be worked into your general onboarding activities. Because work schedules are often hectic, creating a training environment that captures and keeps everyone’s attention is key. To that end, consider:
- Offering incentives: Provide food, drinks, and/or small prizes to your employees to encourage cooperation.
- Making it useful: Incorporate relevant news stories, use trending examples, and offer tips that can be taken outside the workspace. Remember, most employees have a PC or a handheld electronic device at home that they can apply the learned information to.
- Warn employees to pay attention to social engineering activities. Social engineering scams are one of the hardest to avoid because there are no technical safeguards that can protect your business. No matter the criminal’s end-goal, he or she will try to build strong relationships to take advantage of human error. For that reason alone, it’s imperative to educate employees to utilize best practices. Through training courses, like the IT education classes offered at Pinnacle Center for Professional Development, you can help teach your employees the proper IT behaviors to achieve long-term risk reduction. The most common scams to be aware of are:
- Phishing attacks: The most regular attack, these threats are leveraged through emails, social media, SMS, and instant messaging in an attempt to expose and/or compromise sensitive information.
- Watering hole attacks: When malicious code is inserted into public Web pages that are used frequently by a specific organization. Once the infected sites have been visited, a backdoor trojan is installed onto the computer, infecting it with malware.
- Whaling attacks: High profile executives are targeted so cyber criminals can obtain highly valuable economic and commercial information. This data can include confidential information, personal data, and access to restricted services.
- Pretexting attacks: A lie or false motive is presented to obtain private information. The success of the attack depends heavily on the attacker’s ability to build trust with the victim.
- Baiting and Quid Pro Quo attacks: Sometimes confused with other social engineering attacks, these offensive maneuvers exploit the victim’s curiosity by making a promise of a good that is being used to disguise a malicious file. A Quid Pro Quo is a variant of baiting and differs in that rather than promising a good, the attacker promises a service or a benefit based on a specific action.
- Tailgating attacks: Also known as “piggybacking,” an attacker seeks entry into a restricted area by tagging along with another person who is authorized to gain entry.
- Know how to recognize and react to an attack. As the success of social engineering continues to grow, it is important to keep employees educated about how to recognize these attacks, as well as the policies that should be followed if an action needs to be taken.
- Make training sessions mandatory and don’t forget to review the basics, including
- Notify your administrator of any suspicious emails or unusual activity.
- Always turn off your machine and unplug it from the network.
- Have your IT team members’ phone numbers in your contact list so that you can communicate quickly during an attack.
- Create a remediation plan that is available to all employees, and update it frequently to address new policies and regulations.
- Openly communicate step-by-step instructions about what to do if an employee believes they are being attacked.
- Invite, Listen, and Respond to Feedback. If you require employees to follow security guidelines, be prepared to listen to the feedback. In fact, welcome it. If an employee raises a red flag, investigate it, even if it seems to be a false alarm. You want to gain a sense of trust and transparency so your workers are not discouraged to speak up when they think something is not right. Additionally, ensure that your training strategies and protocols are well understood and taken. If procedures are too complicated, and the process begins to disrupt daily workflow, it’s important to openly discuss other options that accommodate both the policies and employee needs.
By putting an emphasis on education and transparency, employees know their roles within the security culture of a company and why it is so important to the overall corporate health. At Pinnacle Center for Professional Development, our face-to-face and classroom-based programs are individually designed to support your IT security needs. Courses are delivered in a comfortable, informal, discussion-oriented atmosphere that has proven to be highly effective in ensuring retention of course material. Dates and locations of the course are flexible to best accommodate the schedules of those who wish to attend.
For more information about our HIMSS-approved educational training courses, call 973-890-1111 or visit Pinnacle Center for Professional Development. To learn about our IT services, visit Pinnacle Consulting Group.