Regardless of their age, role, or cyber security competency, employees must follow basic practices to protect your organization and its data. Training doesn’t have to come in the form of a quarterly program, financial incentives, or certificates. It can be as simple as sending a newsletter with recommendations, sharing articles like this that provide sound technical and administrative solutions, and then implementing policies that can take effect instantly, with minimal investment or changes to your infrastructure.
In late 2017, the Enterprise Strategy Group and Information Systems Security Association researched the cyber security skills gap in their report, The Life and Times of Cybersecurity Professionals. The report corroborates the widely held perspective of CSOs, CIOs, and CTOs: that cyber security is treated as more of a compliance mandate rather than an essential business function, and that widespread cyber security habits at organizations are undefined and inconsistent.
- 67% of the 343 IT and security professionals surveyed said that the evolving and unpredictable demands of their job make it difficult to stay on top of training.
- Only 38% claimed that their organization is where it should be with training, and 27% report their organization could be doing much more.
Clearly, leadership is not as invested in cyber security as it is in sales, for example. The daunting task of surveying and securing an entire, dynamic ecosystem worth of data can be mitigated by focusing on securing identity and endpoints.
Employee training isn't everything, but it's something.
Hacking methods are evolving faster than employee training can keep up. Recently, we published an article about how employee training doesn't solve the phishing problem. While we stand behind that viewpoint, we by no means suggest that employee training should be overlooked, nor that the process of employee training is futile. Still, many organizations lacking a strong cyber security program don’t know who to ask about training, what tools to requisition, or what kind of investment is needed.
Fortunately, putting time, attention, and resources into cyber security is more convenient than it seems. A balanced approach of people and technology fosters an adaptive, vigilant, and secure data ecosystem.
Here are some recommendations that will immediately improve your organization’s cyber security posture, starting with employees and the tools they use everyday:
1. Take the words out of passwords.
Remember this simple adage: the best possible password is one that you don't know. 25% of employees reuse the same password for everything, according to OpenVPN. Eliminating weak or redundant passwords is the first step your organization should take. Implement 1Password or LastPass companywide to remember, obfuscate, and autofill end-user passwords. LastPass even automatically generates passwords that are indecipherable at a glance.
Despite these obvious benefits, password services are underutilized and frankly, not popular. In their report on Americans and Cybersecurity, Pew Research Center determined that 12% of netizens have used password management software, but only 3% rely on the service for everyday use. One person's weak password has the potential to compromise not only an entire organization's data, but also the data of those serviced by that company. Standardizing password management software disperses responsibility and risk in a visible, automated manner.
2. Phish yourself.
The best training is live training. After you simulate a phishing attack at your organization, you will be better prepared for the real deal. Microsoft's Attack Simulator and KnowBe4 offer free programs that gauge your organization's awareness of and response to hacking attempts. This will not only train your users, but also give you the visibility into how well they're trained. As a general rule, tell your users to read the fine print: hover over links to fully read domains exchanged through email. Spelling errors and suspicious redirects are highly legible, even when embedded into a lengthy link. (Pro tip: Open any foreign link in an incognito browser.)
Visibility into enterprise email should be an essential business function. Since emails are a popular attack vector, it's critical that security and forensic teams have complete awareness of email activity within the organization. Step one is connecting Office 365 or G Suite to your SIEM, which will, for example, correlate login events to look into potentially compromised accounts. Your forensic teams absolutely must be able to search comb through emails when looking for the smoking gun that led to a data breach. This essential function is difficult with native search tools within Gmail or Office 365.
3. Keep multiple lines of internal communication.
Phishing emails don't always come from strangers. Often, they can come from friends and colleagues. If you receive a request for sensitive information—a routing number, login information, or even access to a document—reach out to the sender on a separate platform to confirm that the message isn't fraudulent. For example, if a coworker sends you a request via email, call or Slack message them to check the validity of their request.
If the message comes from a trusted company, forward the email to your IT department to double check. Below are common email subjects used in phishing attacks from Q2 of this year that you should watch out for:
10 Phishing Email Subjects Q2 2018, KnowBe4
4. Use Multi-Factor Authentication.
The more barriers are put in place, the more difficult it will be for hackers to infiltrate your data infrastructure. Creating a successful Identity and Access Management (IAM) program is vital. 81% of breaches are the result of stolen, default, or weak credentials, according to the Verizon 2017 Data Breach Investigation Report. Credential harvesting and spoofed logins persist, even when existing technology like MFA significantly reduces the likelihood of these breaches.
Better yet, use multi-factor authentication that doesn’t connect to a phone number, such as Google Authenticator, because phone numbers are no longer secure. Phone numbers were never intended to be a form of identity management, considering most are publicly available. Standardizing multi-factor authentication for all the SaaS your company uses should be a priority. Over 90% of Gmail users don't use multi-factor authentication. (No wonder phishing continues to run amuck.)
Even better yet, use physical MFA. Executives and IT team members, at the very least, should use Yubico Security Keys. Set aside a small fraction of your budget to add a physical layer to your defense with encryption keys that plug into USB ports.
5. Stay off public WiFi.
The rise of cloud computing in the workplace has resulted in organizations implementing a Work From Home policy. Unfortunately, most of these policies don't address security practices. Connecting to public WiFi in a cafe, airport, or hotel is the equivalent of knowingly disarming protective security measures. For example, malicious worms can transfer from one device to another if they are connected on the same network. If connecting to public WiFi is absolutely necessary for many employees, your policy should stipulate that they must use a VPN to secure their connection.
6. Don't ignore application updates.
Despite their persistently annoying reminder windows, updates are vital to maintaining the security of your applications and software. Hackers know the vulnerabilities of out-of-date devices. For example, Microsoft's Conditional Access rules could be bypassed by any legacy system, until a recent update. Many employees believe that application updates are optional or unnecessary, when in reality, they implement essential security features to ward off new strains of attacks.
Bonus: Employee Endpoint Security Challenge
Employees should ensure that their laptop is secured, even when they have momentarily stepped away from the device. Instilling this mentality can be difficult which is why recommend gamifying it as "The Employee Endpoint Security Challenge."
The premise is simple: if an employee can send an email to the IT director from the account of another employee, they receive an incentive decided by the organization. The employee who left their device unsecured can be spoken to privately about improving their cyber security practices. This incentivizes diligence, with the goal of all employees securing their devices so that only they can access it, no matter the circumstance.
Security starts with the culture.
These basics we've just covered are inexpensive—the very minimum your organization can do to receive the maximum benefit. That's why security needs to go from the top, down, and should be considered as an integral part of business. Cyber security is a team effort.
Effective cyber security requires acknowledgment, assessment, and total participation. Many users do not implement these basic protections because they assume additional security controls will complicate usability and interfere with efficiency. To truly secure their assets, organizations must work towards proactive risk management rather than reactive compliance.