This is the 210th article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, cloud and SaaS, or MSPs for the series, PM Eric to get started.
I’ve worked in the security industry for a long time and one key thing I’ve learned — and on some occasions learned the hard way — is no matter how advanced and well implemented a security technology is, it’s only as strong as how it’s used and managed. Security solutions must be paired with user education. Without this rounded approach, cybercriminals can more easily exploit gaps in the defenses and cause serious damage to an organization.
Of course, we know that too well. But, how do you get users and the rest of the company on the same page as the IT department?
1. Open their eyes.
It’s not just big companies that are targeted. Smaller businesses are targeted because — with smaller budgets and headcounts — they’re often more vulnerable.
For example, on Christmas Eve and December 26, 2012, cybercriminals used malware installed on a local PC at Ascent Builders, a small California-based construction firm, to transfer $900,000 (US) from the company’s bank account followed by a major distributed denial-of-service (DDoS) attack on the bank — presumably to conceal the theft of funds.
In the same month, cybercriminals added 11 bogus employees to the payroll of Niles Nursing using the company controller’s login credentials. Using payments from the company’s bank account, the criminals initially transferred $58,000 (US) in funds to those 11 individuals who were able to wire the funds to Russia and Ukraine. In total, approximately $170,000 was stolen.
These pieces add up fast. The loss of intellectual property — much of it the result of malware and other forms of cybercrime — costs British organizations upwards of £9.2 billion annually, according to a UK Cabinet Office study.
2. Set and share an acceptable use policy.
Establishing what network activities are and aren’t allowed protects employees, customers and suppliers, and, best of all, it costs nothing. If you don’t have a policy and are looking for somewhere to start, SpiceHead Donald2661 has a policy template that’s a fine place to start.
All members of staff should be given a copy of the policy around acceptable use of IT resources. Talk with the powers that be — often this can be used to form part of the contract of employment, and besides protecting the company from exposure to malware and web threats, this can help in disputes with employees.
3. Push employees to select strong passwords/passphrases.
A complex security system won't matter if a hacker or phisher gets a hold of an employee's password. If we take a laissez-faire approach to creating and protecting passwords, these type of security breaches are more likely to happen. Smart password practices require next to no budget.
There’s some good discussion on passwords and passphrases in the Spiceworks Community here and here.
4. Establish an encryption policy that you can enforce.
An encryption policy should provide guidance on using encryption to protect network data. Here’s a common scenario: A company with a security policy in place directs the use of encrypted USB storage and distributes these devices to its users. After time, it becomes apparent the company is still at risk from a data breach because users are still using unencrypted USB keys. This company has a security policy in place and issued encrypted devices, but they’re still stuck dealing with a data breach.
An encryption policy can’t work unless users understand their role in protecting company data. It’s important to have an encryption policy, but it’s just as important to have an encryption policy that can be enforced and is easy for the end user to adhere to. The hard part in this process is that it often requires a behavior change; the secret to success is showing employees how they benefit from tighter network security.
There are no security silver bullets out there, but these threats can be mitigated by training users to identify, prevent, and report attacks in a timely manner.
How security conscious are your employees? How do you get them to understand their importance in protecting the network? Share your stories and tips in the comments below!