Please Note: This is the second article in a series. To view the first of the series, please click here.
Your employees are your first line of defense in protecting your network’s security. As seen on USA’s show Mr. Robot, all it can take is one USB found in the company parking lot to peek interest as to the contents, maybe in hopes of identifying the owner, for a hacker to gain access to your network through that employee’s computer. Without the proper education, awareness, and engagement, employees are not equipped to make decisions that continue to protect your network, let alone understand how they may be making the network more vulnerable.
What are some simple ways you can engage your staff in cyber security education? One of the most effective ways to educate employees on cyber security is to relate it to their home network security. This helps them find value outside of the workplace and cements the information on a personal level.
Regardless of location, you and every member in your household over 13 are going to use email everyday; guaranteed. Email spear phishing campaigns still remain the top threat for cyber security because they are cheap and persistent. Pleas for help, fake emails from friends, requests for password information etc., are all examples of social engineering used in spear phishing campaigns, which are becoming more sophisticated and more effective by the day. Once an email is opened, hackers will then try to get the target to click on a link or open an attachment in order to get inside the network. According to the Verizon DBIR, “23% of recipients now open phishing messages and 11% click on attachments,” 50% of which are within the first hour. This stat doesn’t seem that bad until it’s compared to 10-20% of openings in previous years. To prevent these exploits, companies need to explain what phishing is, what it looks like, and ways to prevent it in simple terms and examples. Companies should educate users on the importance of setting high spam filters, and as a company, adopt a sophisticated detection and response program.
*OpenDNS has a great interactive quiz aimed at testing your phishing IQ. While it is aimed at recognizing phishing websites, at the end there are some great explanations of what makes a site safe or a threat.
"23% of recipients now open phishing messages
(10-20% in previous years)
11% click on attachments
50% of which are within the first hour"
- Verizon DBIR, April 2015
Did I just hear you groan? Yes, it’s true - by removing admin rights on employee computer profiles you are creating a little more work for your IT department and will probably hear a groan or two from employees. However, educating your staff on how they can use this same tactic at home may decrease the volume of those groans. Admin profile rights allow unrestricted access to endpoints, and once malware is deeply imbedded it will disguise itself and spread quickly. Think about this: Would you rather spend five minutes authorizing your teenager’s computer for a program installation, making sure it’s a safe, or use your time and money to rebuild their computer after a malware attack? The same is true at work. According to an Avetco report, removing admin rights “mitigates 97% of critical Microsoft vulnerabilities.” Resources are best spent preventing a compromise rather than trying to repair and clean up the aftermath, and privilege management is an easy component of protection.
"Removing admin rights mitigate 97% of critical Microsoft vulnerabilities."
-Avecto Report, March 2015
Educating new hires on policies is a great start, but it’s no longer enough. Think about your first day and the amount of information you were given. Did you remember it all? Do you still? The chances are low. Instead, make sure you’re a reliable source of education for your employees. Reinforce the importance of following policies, such as password strength, and update them on the latest tactics, either within your company or your industry. Include what they should look out for and ways to prevent becoming a victim. As you’re educating them, make sure they know that you are a resource for them to answer any questions they have about network security, their role, or possible incidents, now or in the future. You are a vital key to making network security a relatable subject rather than one cloaked in technical terms and mystery. It’s clear that businesses can no longer rely on reactive strategies and programs when it comes to protecting their network. It’s time to leverage a valuable resource through the engagement and awareness of employees. Once employees understand the role they play in network security and how they can translate that into their personal lives, they are much more likely to actively participate and follow corporate policies. Couple that understanding with an IT department that helps translate security in a very human and relatable way and you have a strong security culture to build upon.