Regardless of their age, role, or security competency, employees must follow basic practices to protect organization and its data. Training doesn’t have to come in the form of a quarterly program, financial incentives, or certificates. It can be as simple as sending a newsletter with recommendations, sharing articles that provide technical and administrative solutions, and implementing policies that can take effect instantly, with minimal investment or changes to your infrastructure.
In late 2017, the Enterprise Strategy Group and Information Systems Security Association researched the cyber security skills gap in their report, The Life and Times of Cybersecurity Professionals. The report corroborates the widely held perspective of CSOs, CIOs, and CTOs: that cyber security is treated as more of a compliance mandate rather than an essential business function, and that widespread security habits at organizations are undefined and inconsistent.
- 67% of the 343 IT and security professionals surveyed said that the evolving and unpredictable demands of their job make it difficult to stay on top of training.
- Only 38% claimed that their organization is where it should be with training, and 27% report their organization could be doing much more.
Clearly, leadership is not as invested in cyber security as it is in sales. The daunting task of surveying and securing an entire ecosystem worth of data can be mitigated by focusing on securing identity and endpoints.
Employee Training Isn't Everything, but It's Something
Hacking methods are evolving faster than employee training can keep up. Recently, we published an article about how employee training doesn't solve the phishing problem. While we stand behind that viewpoint, we do not suggest that employee training should be overlooked, nor that it is futile. Still, many organizations lacking a strong cyber security program don’t know who to ask about training, what tools to requisition, or what kind of investment is needed.
Fortunately, putting time, attention, and resources into cyber security is more convenient than it seems. A balanced approach of people and technology fosters an adaptive, vigilant, and secure data ecosystem.
Here are some recommendations that will immediately improve your organization’s security posture, starting with employees and the tools they use everyday.
1. Take the words out of passwords
Remember this simple adage: the best possible password is one that you don't know. 25% of employees reuse the same password for everything, according to OpenVPN. Eliminating weak or redundant passwords is the first step your organization should take. Implement 1Password or LastPass companywide to generate and autofill complex passwords.
Despite these obvious benefits, password services are underutilized and frankly, not popular. In their report on Americans and Cybersecurity, Pew Research Center determined that 12% of netizens have used password management software, but only 3% rely on the service for everyday use. One person's weak password has the potential to compromise not only an entire organization's data, but also the data of those serviced by that company. Standardizing password management software disperses responsibility and risk in a visible, automated manner.
2. Phish yourself
The best training is live training. After you simulate a phishing attack at your firm, you will be better prepared for the real deal. Microsoft's Attack Simulator and KnowBe4 offer free programs that gauge your organization's awareness and response to hacking attempts. This will not only train your users, but also give you the visibility into how well they're trained.
As a general rule, tell your users to read the fine print: hover over links to fully read domains exchanged through email. Spelling errors and suspicious redirects are highly legible, even when embedded into a lengthy link. (Pro tip: Open any unfamiliar link in an incognito browser.)
Visibility into enterprise email should be an essential business function. Since emails are a popular attack vector, it's critical that security and forensic teams have complete awareness of email activity within the organization. Step one is connecting Office 365 or G Suite to your SIEM, which will, for example, correlate login events to look into potentially compromised accounts. Your forensic teams absolutely must be able to search through emails when looking for the smoking gun that led to a data breach.
3. Keep multiple lines of communication
Phishing emails don't always come from strangers. Often, they can come from friends and colleagues. If you receive a request for sensitive information — a routing number, login information, or even access to a document — reach out to the sender in a different channel to confirm that the message isn't fraudulent. For example, if a coworker sends you a request via email, call or Slack message them to check the validity of their request.
If the message comes from a trusted company, forward the email to your IT department to double check. Below are common email subjects used in phishing attacks from Q2 of this year that you should watch out for:
10 Phishing Email Subjects Q2 2018, KnowBe4
4. Use Multi-Factor Authentication (MFA)
The more barriers are put in place, the more difficult it will be for hackers to infiltrate your data infrastructure. And yet, over 90% of Gmail users don't use multi-factor authentication.
Creating a successful Identity and Access Management (IAM) program is vital. 81% of breaches are the result of stolen, default, or weak credentials, according to the Verizon 2017 Data Breach Investigation Report. Credential harvesting and spoofed logins persist, even when existing technology like MFA significantly reduces the likelihood of these breaches.
Better yet, use multi-factor authentication that doesn’t connect to a phone number, such as Google Authenticator, because phone numbers are no longer secure. Phone numbers were never intended to be a form of identity management, considering most are publicly available. Standardizing multi-factor authentication for all the SaaS your company uses should be a priority.
Even better yet, use physical MFA. Executives and IT team members, at the very least, should use Yubico Security Keys. Set aside a small fraction of your budget to add a physical layer to your defense with encryption keys that plug into USB ports.
5. Refrain from public WiFi
The rise of cloud computing in the workplace has resulted in organizations implementing a Work From Home policy. Unfortunately, most of these policies don't address security practices. Connecting to public WiFi in a cafe, airport, or hotel is the equivalent of knowingly disarming security. For example, malicious worms can transfer from one device to another if they are connected on the same network.
If connecting to public WiFi is absolutely necessary for many employees, your policy should stipulate that they must use a VPN to secure their connection.
6. Don't ignore application updates
Despite the annoying push notifications, software updates are vital to maintaining the security of your applications and software. Hackers know the vulnerabilities of out-of-date devices. Many employees believe that application updates are optional or unnecessary, when in reality, they implement essential security features to ward off new strains of attacks.
Security Starts with Culture
These basics we've just covered are the very minimum you can do to receive the maximum benefit. Many users do not implement these basic protections because they assume additional security controls will complicate usability and interfere with efficiency.
To truly secure their assets, firms must work towards proactive risk management rather than reactive compliance. That's why security needs to go from the top, down, and should be considered as an integral part of business. It's a team effort.