Knowledge is Power
In our previous post, we outlined some important steps on how you can protect your network from common cyber threats. Putting measures in place to protect against brute-force attacks, phishing and ransomware is an important first step. However, as we will see from some of the high profile examples mentioned below, no cyber security policy is complete without a focus on protecting the first line of your defence, your employees. Research has repeatedly shown that one of the biggest security risks to an organisation is the end user. Through no fault of their own, and mainly due to a lack of education and awareness, employees frequently open the virtual floodgates to attackers. Demonstrating the impact of an attack and communicating the responsibility of employees when protecting virtual business assets should be an integral part of your cyber security strategy. Ensuring employees know the right procedures for accessing and protecting business information is crucial.
To emphasise the importance of end user education and training, we will look at how a mistake from one employee caused one of the worst data breaches of all time. In 2017, US based credit bureau Equifax, announced that sensitive data including social security numbers and banking details was stolen from over 145 million people worldwide. Identity theft is now a major risk for those affected. How could this happen to such a large, high-profile company that holds such sensitive information? It can be difficult to comprehend that millions of people’s data can be stolen because of one person’s mistake. However, this is, unfortunately, a very common occurence. Equifax CEO Richard Smith did not put the significant breach down to technical issues, but human error. Following the breach, he stated “To prevent such breaches from happening requires a shift in culture and resources. Equifax certainly had the resources, but it clearly did not have the right culture to ensure the right processes were in place and followed.” In the aftermath, one person was blamed for the breach and fired.
Protecting the Front Line
There are several practical steps organisations can implement to secure the weakest line in their cyber security defence. We have outlined five tactics that your organisation can use to help increase your protection from cyber threats.
- Continuous Training & Education – Practice makes perfect, and this is especially true when educating your employees on best practices in cyber security. The cyber environment and cyber threats are continuously evolving, meaning one-off education or training is not enough and can quickly become outdated. While inductions and initial training on cyber security are essential, continuous training is vitally important to ensure your employees continue to be the first-line of defence for your organisation. By continuously measuring the effectiveness of this training, gaps can be identified and acted on before evolving into an attack. ISO 27001, the highest standard in information security, requires regularly updated compliance checks which means continuous training of employees is mandatory.
- Device Security – In the era of the modern workplace, remote-working and bring your own device (BYOD) are becoming increasingly popular among employees. Subsequently, more and more devices are connecting to your network. This creates added entry points to gain access to your information. Therefore, it is essential to ensure devices are secure. Mobile Device Management allows companies to configure, manage and control mobile devices used to access business resources. Before a device accesses your company’s network, you can verify that it hasn’t been compromised. An added level of security in the workplace can be a “clear screens” policy; when employees leave their desk, all devices must be locked.
- The Principle of Least Privilege – This principle works by allowing only enough access required to perform a task. In the cyber world, adhering to this principle reduces the chance of hackers gaining access to your network through a low-level user account, device or application. Admin passwords should be individualized rather than generalized, and admin access should only be granted where required. Implementing the principle of least privilege can lead to increased security and a reduced attack surface. As a general best-practice, all new accounts on your network should by default be set up at with the pricniple of of least privilege.
- Password and Authentication Policies – Implementing a password policy, requiring strong password combinations and regular password changes, can be an initial line of defence against attacks outlined previously – brute-force and dictionary attacks. However, password policies alone are not enough to protect against interface level cyber threats. Multi-factor authentication is an important added layer of defence at interface level if a password has been breached. This requires another level of permission from the end user, which can be approved or declined. Read the Sophos guide on password and authentication policies here.
- Cautious Clicking – While the importance of continuous education is outlined above, emphasis must be specifically placed on awareness around phishing and social engineering threats. These are tactics used by cyber criminals, posing as a legitimate entity or person, to manipulate sensitive information from the end user. Having a culture where employees can raise any concerns around suspicious emails or links can help nullify these risks. As mentioned in a previous post, targeted phishing campaigns are an important tactic. However, companies should encourage all employees to approach all links and attachments with caution and be wary of the threats that malicious emails and links can bring.
Culture Shift – Fostering a Change of Attitude Towards Cyber Security
There is no quick fix to strengthen the weakest link in your cyber security defence. Fostering a change of attitude towards cyber security can be a long-term approach but it will provide long-term peace-of-mind and resilience for your organisation. This shift in attitude must come from the top. Cyber security is a business-critical issue, and not something that should be viewed as just an IT risk. Setting it as a board-level agenda item will underline the importance of a strong cyber security culture. Training employees to identify, manage and respond to cyber-risks is the first step in protecting your network. However, board buy-in is imperative.
The aim of developing a cyber security culture is to make information security considerations an integral part of an employee’s daily life. It is important that employees are trained to act as a strong human firewall against cyber threats, as awareness campaigns alone do not provide enough protection against ever-evolving cyber threats. User education and training is an integral part of ActionPoint’s cyber security offering. We can provide you with practical user education materials that can demonstrate the impact of an attack, we can also assist with internal campaigns to test employees cyber awareness and behaviour when encountered with real life cyber threats. Check out the ActionPoint website for more information on our comprehensive cyber security offering, https://actionpoint.ie/it-security/.