Your organization is only as secure as your least vigilant employee. So, hardening your cybersecurity requires not only layers of sophisticated technology and threat detection, but also employees who are capable of becoming a cybersecure team. Minimizing the risk of a hacker penetrating your systems and reaching your employees should be goal number one, but cybersecurity is also the responsibility of every person on your team – from the CEO down.
Even as organizations focus on stronger cybersecurity measures and innovative technologies, it’s important to remember that in more than half of all data breaches, there is either inadvertent or purposeful employee or vendor involvement. Developing a strict culture of cybersecurity is another layer of protection and risk management that every business, school, government entity, and nonprofit should have in place.
A Cybersecure Team Doesn’t Just Happen: Train, Train, and Train Again
Ongoing training is the foundation of a cybersecure team and a cybersecure organization. Because hackers continue to get more sophisticated in their efforts to penetrate your systems, it’s impossible to be prepared for every kind of attack without ongoing reminders about the latest threats and tactics that are being used. It used to be enough to tell your employees not to click on links or open files from strangers, but now, hackers are patient and adept at masking their locations and true intents. They’ll spend months collecting enough information to be able to infiltrate an email system and pretend to be someone who would send an email seemingly of some significance.
“Cybersecurity awareness and training must be a part of every organization’s arsenal. Protecting your organization from cyber threats starts with empowering employees to be part of the cybersecure solution.” – Tom Hastings
It’s important to share with employees the cost and impact of the risk so that they understand the reason for the trainings. Even millennials and Gen-Z, who are digital natives and completely comfortable using technology (and have been roughly since birth), can be tricked by a sophisticated hacker with some cleverly disguised ransomware. Most people are unaware of the extent of cyberattacks in today’s business world.
Teach your employees about the prevalence of risk to the workplace – and have a no-tolerance policy for negligence. To create a cybersecure team, focus on the following initial and ongoing training:
Clean Desk Principle
It may seem like a natural and obvious place to start but it’s essential to require that employees take some simple precautions. This can make an enormous difference in your ability to remain cybersecure. Require employees to take steps such as:
- Logging out of the network when they leave their desks
- Locking up files (digital and paper) that contain secure or proprietary information
- Keeping a clean workspace (to prevent accidentally leaving sensitive information accessible)
- Requiring the use of shredders (physical and digital) for the destruction of sensitive files
- Establishing policies that restrict the sharing of information
Employees should be encouraged to speak out if they suspect anything and reassured that speaking out is always better than assuming everything is fine. Empower your employees to address cybersecurity concerns with a supervisor, IT department, or managed services provider without being penalized for taking the time to do so. In fact, these employees should be rewarded for remaining vigilant and concerned. An open-door communication policy should be instilled throughout the company from the CEO down.
When 90% of cyberattacks now begin with a phishing campaign, it’s clear that hackers have discovered the gold mine that it is. Email security is not being prioritized and data breaches are a common result. It’s not a matter of if but when your employee will receive a very convincing email that appears to come from an authentic source within the company. That email may direct them to provide sensitive information or it may request payment for a legitimate invoice. Thanks to social engineering, these emails often appear legitimate. Subsequently, these emails often find more success because the employees receiving them believe that they are a genuine directive from their bosses or CEOs, and they feel pressured to act quickly.
Phishing attacks are hard to identify.
Ongoing training is critical for everyone within an organization. An employee may not think twice about a request to update a password for a commonly used website or to submit private information to what appears to be a vendor. Employees tend to blindly trust that an antivirus program will weed out the spam in their digital mailboxes, without considering that a spam filter may let an email get through that could be a phishing attack. Training helps raise employee awareness and provide information on emerging threats.
The most common types of phishing attacks:
- Redirect employees to an unsecured website requesting sensitive information when malicious links are clicked
- Release viruses and malware when an email attachment is opened
- Spoof an email address so that it appears to be from a legitimate sender
- Impersonate a vendor, IT support, or employee to gain sensitive information over the phone
Preventing phishing attacks starts with best security practices.
Educating staff is essential to stopping phishing attacks. Cybersecurity training should be comprehensive and provided on a regular basis, to communicate updates and these reminders about best practices:
- Secure personal information – Do not use the same password on multiple devices and at multiple sites, including personal networks. Hackers can target specific individuals and explore a variety of networks, including social media, to obtain information. Passwords should be complex and changed periodically, and multifactor authentication should be applied whenever possible.
- Use available malware and virus protection programs – If professional devices are asking for updates, make sure employees are not ignoring prompts. Also encourage employees to secure their personal devices and provide accessible security options. By incorporating best security practices into their personal lives, employees are more likely to implement these practices in their professional realms.
- Use secure networks only – It can be tempting for employees to quickly sign into an office network from home, even if it is to innocently check an email. Unsecured access, however, can give hackers the opportunity they need to infiltrate secure networks.
- Be aware of threats – Train employees to be suspicious of emails requesting private information, such as credit card details. If an email requests immediate action, then a moment should be taken to confirm the request. Nothing is so immediate that your employees can’t take the time to verify a request with a supervisor.
Your employees can be your biggest risk, but they can also become your strongest defense against phishing attacks. Knowledge is the first step towards preventing data breaches, and by educating employees regularly, you can establish a culture of best security practices. Download the thinkCSC email security guide to get started.
It’s no surprise that password management is a struggle; we’re required to create and remember multiple passwords on multiple devices and accounts; we are prompted to change the passwords frequently; and we have to make sure each password meets whatever minimum requirements are demanded – which vary greatly. While biometric capability may soon relieve some of this frustration, businesses must insist on stronger passwords, multifactor authentication, and robust password security.
You would think that everyone would be well aware of the risks associated with the use of simple passwords, using the same password across multiple accounts, or using personal data as a password. But many of the most expensive data breaches have happened because a person’s password was stolen from one site, and as this same password was used by the same person on a different site, the hackers could then gain access to secure information.
Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change passwords on individual accounts or be forced to forget previous passwords in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):
- Re-use the same usernames and passwords across multiple accounts
- Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)
When 81% of all hacking-related breaches are leveraged from weak or stolen passwords, duplicated passwords used across multiple sites increase the risk of successful breaches on internal company sites. If passwords on personal accounts (online shopping, banking, personal email, social media, etc.) match passwords on company sites (employee login, company email, etc.), hackers can apply those identical passwords to other accounts with the same or similar usernames – and many people use the same username format across multiple accounts (e.g., John_Doe, or John.Doe). This means that any password, no matter how strong it is, is vulnerable the more often it is used across multiple accounts, especially when it is associated with the same (or similar) username.
Moreover, 30% of data breaches were committed by insiders. Many internal attacks don’t have to target one particular employee’s access; in many cases, accessing one member of a team or department (or even the entire company) is all that is required. Thus, having an employee log usernames and passwords, and store them in an obvious place, makes internal attacks much easier and more likely.
Common passwords should be avoided at all costs. Words like qwerty and number strings like 123456 are the easiest to break, followed by common words like football and pizza. Using personal information like a birthdate or street name are also high risk, since so much of personal data is available from a quick online search. Passwords should be complex, long, and difficult to break – but they should not be the only barrier between the hacker and the data.
Passwords, to be at all effective, need to be randomly generated strings of characters, changed frequently, and accompanied by multifactor authentication and protected by additional layers of security, backup and recovery, and monitoring.
Improve your organization’s password security by:
- Requiring passwords to be changed every 60-90 days
- Requiring different passwords for each login
- Prohibiting the sharing of passwords – if an employee needs access to information, they should have their own username and password to gain access
- Requiring auto-generated passwords of 12-15 characters minimum, with complex strings of numbers, upper- and lower-case letters, and characters
- Completely restricting the use of personal information in passwords
- Using password managers, such as LastPass
- Not allowing passwords to be saved to browsers and do not allow the use of autofill functions
- Requiring two-factor authentication in which a second form of access is required (a pin number texted to the employee, for example) once the password is entered
Whether you have a policy that allows it or not, it’s likely that your employees are doing some of their work from their cell phones. Having no mobile device policy leaves you vulnerable – and thinking that you can ban the use of mobile devices for work is almost as risky. Mobile device use has become ubiquitous at work – and for good reason. It makes your team more efficient and productive. But it also means that mobile security is an integral piece of the puzzle when creating a cybersecure team.
There are risks: Every mobile user tends to casually give access to personal information for the use of third-party apps, servers, and networks. These third-party connections then become potential threats to your business when those same devices are connected to your network and are used for work-related activities. Mobile device security must be part of your overall strategy, and while you cannot prevent your employees from using mobile devices, you can have policies in place that restrict how and what they’re able to do when connected to your network.
Mobile security should include:
Malware detection. While not foolproof, malware detection is a first-line defense against attacks. Malware is becoming more and more sophisticated, making it necessary for organizations to implement malware detection on every device.
Remote wipe capability. If your employees use their personal cell phones or tablets to handle company business, there is a high risk of data breach if the devices are lost or stolen. The only effective method for controlling this risk is by having the ability to remotely wipe the data.
Malicious app blocking. Every organization that allows the use of mobile devices should have the ability to block malicious apps as well as non-malicious apps that introduce risk or violate security policies.
One of the biggest risks of mobile device use is that people can accidentally leave their phones in public places or lose them altogether. To minimize risk, organizations should require employees to use basic security measures (even on personal devices) such as fingerprint locks. Employees should also be encouraged to use location tools, such as Apple’s “Find My iPhone” app. And no personal device should be allowed to be used for work that does not have malware detection and security installed.
There is no one-size-fits-all solution to mobile security. Mobile device management is an integral part of creating a cybersecure team. You can’t keep cell phones out, so you must protect your organization.
A Cybersecure Team Is Just One Layer of a Comprehensive IT Security Strategy
Creating a cybersecure team isn’t difficult but it is critical. Given the rise in cyberattacks over the last decade and, especially, the recent, coordinated, worldwide ransomware attack, providing cybersecurity training to employees is essential for every organization. Your organization needs to operate in a culture of zero trust – a belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
A Managed Service Provider Can Help You Create a Cybersecure Organization
At thinkCSC, we take security seriously, offering innovative levels of security monitoring for our clients. Cyberthreats are a normal part of doing business, but these risks can, and should, be addressed and abated. A comprehensive approach to cybersecurity means having:
24/7 Monitoring: You can’t protect what you can’t see. We make sure your systems are continuously monitored, spotting trouble before it starts and ensuring that your infrastructure keeps up with the demands of your business.
Backup & Recovery: From server failures to weather outages, from ransomware attacks to malware infestations, thinkCSC keeps you operational by providing regular offsite backups of your critical data that can be quickly restored or accessed from alternate locations should the need arise.
Compliance: Whether your organization is required to achieve and maintain HIPAA, SOX, or PCI compliance, or if you just want to meet the level of compliance required to be covered by the Ohio Safe Protection Act, thinkCSC has your back.
Infrastructure Security: We employ a multi-layered approach that includes advanced hardware, software, policies, and controls to help protect you from breaches of confidentiality, data loss and destruction, data manipulation, and more.
Endpoint Security: You can’t secure what you don’t know is connecting to your network. thinkCSC helps you identify every phone, tablet, and device that is connected, thereby controlling access to your data.
Network Security: From deploying your network to helping you develop an IT security strategy, thinkCSC is your partner in creating the protection you need.
Cybersecurity is growing in complexity. Hackers are continuously learning innovative methods to gain access to private data. Consequently, to maintain a cybersecure team, your organization must remain proactive. At thinkCSC, we believe that in order to achieve maximum success, regardless of the size or type of your organization, you must make employees an integral part of your overall security strategy. We can help you assess your existing security and policies, provide training and testing for your employees, provide the additional layers of security required to reduce and eliminate risk, and be there to get you back up to speed should something go wrong. Take your first steps in creating a cybersecure team and contact us today.