Users are a company’s biggest asset and, unfortunately, often its greatest risk. Mitigating the risk posed by users is an ongoing challenge. You can limit their access through admin rights, but you can’t always prevent them from opening corrupted emails. You can force them to routinely change their passwords, but can’t prevent them from clicking malicious links.
So what can you do to ensure your company stays as secure as possible? Educate your users! Turn them into a security-aware workforce that would no sooner click a malicious link than download a corrupted patch. Read on for tips from Lumension’s Paul Zimski on what you can do to secure your greatest risk area: the users.
Click through for steps organizations can take to make sure their staff is well informed about security issues, as identified by Lumension.
Chances are good that when a new employee starts at your company, you already have a process in place to train them on the systems the company uses: everything from time entry systems to using the phones to database training. Make security training part of that onboarding process, but don’t let it stop there. During orientation, teach new employees how to check if a link might be malicious, what a corrupted file might look like, how to identify a fake patch they may be asked to download, and then what to do with that information.
Be sure they can identify many of the most common tactics attackers use to trick users into helping them, and then give them a clear path for remediation if they suspect they’ve been sent a phishing email or are being asked to download a faulty patch. Once the initial orientation is completed, continue to contact users on a regular basis about new threats. Set up a monthly email informing users about new attack methods or current phishing techniques so that they know what to look for. Add real-world context and real-time updates.
Many users still think of cyber threats as a Nigerian prince or long-lost Russian uncle offering to give you $10,000,000 if you’ll only share your bank account information with him. While these email chains still exist, they are often caught in spam filters and are no longer the gold standard of phishing. Keep users up to date about real threats – phony links on Facebook, seemingly hilarious YouTube videos sent by friends that turn out to be malicious, and Twitter bots informing you that you’ve absolutely got to check out this scandalous picture someone posted of you on the Internet. Keep users’ idea of cyber threats in the modern day to keep your systems more secure.
Give users a way to react to malicious materials appropriately and then follow through when contacted about it. Users frequently treat IT as a roadblock to productivity, which can be extremely detrimental to corporate security. Don’t be that roadblock, and respond helpfully and in a timely manner when contacted about these issues.
This is not to say that you should threaten to fire your users if they don’t follow your information security policies. Rather, many users often don’t understand the potentially devastating impact of an attack – both on their organization and on themselves. The cost of a data breach can cost the company upwards of several million dollars. Stock prices can take a hit. Stolen IP can result in lost customers and lost opportunities.
In some industries, such as health care, where confidentiality of information is crucial and regulated, lawsuits can be the direct or indirect results of a breach. Companies may even experience money stolen directly from their accounts, affecting their ability to invest in their employees. For some, a single data breach may be enough to put them out of business.
Ensure that users understand the potential consequences by sharing data from surveys or news articles on the impact of breaches. If a user believes that it’s a realistic possibility that a malicious link can take down the company – or eliminate the need for their position – they’ll be much less likely to click that link.
The mandate to pay attention to security can’t just come from IT. It needs to have visible support from high-ranking company executives. Top officials need to not only be talking the talk, but also walking the walk. Users need to see that security isn’t just something for them to pay attention to – it’s a company-wide issue for each and every employee. Users are bombarded constantly with messages from different departments both inside and outside their company, but if they see that high-ranking executives such as the CEO, CFO and others are placing a high value on corporate data security, they will be more likely to prioritize the message.
Social media is a virtual treasure trove of information for an attacker. Using information posted online by users about themselves, attackers can find out information that allows them to guess security question answers – enabling them to get past customer service representatives and reset passwords. Teach users how the things they share on social media can be used to hack them “IRL” (“in real life”). You can even set up a demonstration where you attempt to “steal” a user’s ID using their easily accessible online information. They may be shocked at how easy it is, and that may be enough to galvanize them to change their behavior.
Passwords can be a user’s biggest weakness. After all, there are so many these days; it’s hard to keep track of them all. It’s much easier to just create one password and reuse it across sites and systems. Users know that this is bad behavior, but they do it anyway out of convenience. Further education and engagement can help – perhaps add incentives around password security to motivate better behavior. The real trick is to help employees make it easy to manage their passwords and keep them secure. Suggest tools that users can use to keep track of their passwords, while still using different ones across the many websites they use.
Remember, users are often the weakest link in the security chain. It’s important that you are vigilantly educating your users to remedy the risk that they pose to your organization’s security. But other areas of security should not be neglected in the pursuit of user education.
Remember, attackers are people too and they will go for the path of least resistance. If you leave your machines unpatched, they’ll go that route. If you don’t have anti-malware installed, they might go down that path. And if your users are likely to click a link from a phishing email or download a fake patch, attackers will choose that method.
An attack is often no longer a single instantaneous event, but a long process where the attacker systematically hunts down your systems’ weakness. Don’t leave the front door wide open for them, whether that means educating your users, installing antivirus or aggressively patching machines. Make sure your defense is as in-depth and persistent as the attacks threatening it.