Securing Your Business: The Basics of Employee Cybersecurity Training
Did you know cyber criminals put malicious code on thumb drives and place them in places like corporate parking lots where the employees of a company will pick them up and plug them into a work computer? They want to return the thumb drive to whoever may have dropped it, so they look to see what is on it. It is clever and typical of a cybercriminal to use the potential of a good deed to infiltrate a company’s technology vulnerabilities and it takes little to no effort on their part to be successful. Studies have found that this tactic works 60% of the time when tried.
How do you prevent something like this happening within your company? Employee training. Security awareness training highlights potential security threats and reinforces company security policies. It also creates engagement with staff so everyone is aware of their personal role in keeping the company secure and often the company can learn, in turn, what types of threats people have experienced when they worked in other places. This training helps prevent hackers getting a beachhead into your business.
Unfortunately, many businesses do not know where to begin development of a program or what areas they should make a priority. Getting started on security awareness training can be confusing because the amount of information to be shared is vast and can be presented in so many ways. Fortunately, Sanapptx is here to help. We can augment an existing program you may have and reinforce any security policies. Typically, we work together with organizations to get employees set with the basics of security awareness and key components of any security program which can include:
- Phishing and social engineering
- Passwords and network access
- Device security and physical security
Phishing and Social Engineering
It is considered Social Engineering when an employee or user divulges information through deception like in the thumb drive example. Another common social engineering attack is called phishing. Through phishing, a cybercriminal poses as a credible source like a Manager or Vice President within the company and gets an employee to trust them through an email or chat and reveal sensitive information like passwords or credit card information. Tell-tale signs of a phishing attempt include typos, links containing a string of random numbers and letters, an odd sense of urgency, or a simple feeling something is amiss about the information requested.
Often companies do not invest in employee IT security awareness because they think common sense rules apply: do not give out sensitive information or click on suspicious links or attachments. However, without proper security training, an employee often wants to help and “do the right thing” when presented with a time-sensitive challenge for a person in power. Even if a person may not think something is quite right, they still help and therefore expose sensitive information. And, it is usually not just one employee getting targeted, but several, so the odds of success for a cybercriminal increase.
Putting proper communications in place for informing the right people at the right time about sensitive information requests helps employees know why there is a process in place and what to do in a compromising situation. This helps prevent security breaches from social engineering like phishing.
Passwords and Network Access
Employees should be following best practices when it comes to passwords they are creating, especially for passwords used to access IT environments. In most companies and industries, a password policy is enforced. Most employees are aware of the best practices they must follow like changing passwords every 90 days, never storing passwords on paper in easy to find places, and not sharing passwords. What is not as obvious is using a network outside of their home or work. With remote worker levels on the rise, people can work from anywhere. If they use a wireless network that is unsecure or weak in security, a company could be affected. Even if data on their device is encrypted, it is not necessary that a connected network transfers that data in an encrypted format, which opens the door to different vulnerabilities.
Using a trusted network connection or securing the connection with appropriate VPN settings is necessary as public networks can be tapped and data is instantly at risk.
Device & Physical Security
In an era where more and more personal devices operate within the workplace, employees must understand the potential security risks of connecting to the enterprise network from phones or tablets. Increasingly, business is conducted quickly through cell phones and tablets personally owned by employees and not the company, and therefore an employee is not always mindful of the websites they are going to and what links they are clicking or what applications they are installing. Also, phones are easily stolen which then posses a physical security threat.
A good refresh on security is required to ensure data is not at risk, especially with so many employees working remotely from home. Good office security measures include:
- Locking all devices when leaving a desk. This is a habit that may take time but can be accomplished.
- Locking their docs. Most employees do get drawers that are lockable and sensitive documents should be locked within and not left to be see in the open on a desk or printer.
- Properly discarding info. Sensitive documents should not be placed in general trash cans, receptacles, or bins that then goes into a larger general trash. A policy should be put in place by the company to have such documents shredded or a process to ensure appropriate removal of such documents and files.