October is Cyber Security Awareness Month. Follow our blog for the latest from our experts on how to reduce your cybersecurity risk and related issues.
Although much of the media attention surrounding cybersecurity tends to focus on hackers forcing their way into systems, research shows companies are almost twice as likely to suffer from a self-inflicted breach via email phishing, or other inadvertent employee-assisted action.
According to the latest data from ISACA, 74 percent of companies expect to fall victim to a cyberattack in 2016. A majority of those attacks (60%) are coming via email, with 30 percent of companies reporting daily occurrences.
Cyber criminals favor this and similar employee-assisted attack vectors because they provide access to secure networks through the front door, eliminating the need to hack in. Email security concerns and the importance of developing and following strict network security protocols have escalated to the point of becoming a point of contention in the current election cycle.
Here are ten ways companies can raise employee awareness of the threats, and the important role employees can play in protecting valuable and sensitive information.
- Beware of email links and downloads — This is true even if the sources appear to be known to the user. Cyber criminals are becoming adept at embedding malware and credential-stealing code in emails that appear to be coming from friends or colleagues. This practice, called phishing, is the most common source of employee-assisted breach, and has become so sophisticated that the fake emails often contain personal details designed to break down natural suspicions. We advise users to hover over links with their cursor to reveal hidden hyperlinks, or typing a specific URL into a web browser rather than relying on an email hyperlink.
- Don’t email sensitive information — This should be common sense, but it happens more often than you might think, often in connection with providing vendors with administrative access to accounts using another user’s credentials.
- Assume people are listening — Treat unencrypted email like a conversation in a crowded room. Even if the company doesn’t have good policies on it, employees need to use common sense. Sensitive information should only be transmitted via encrypted email or secure file transfer.
- Trust but verify — No one should ever ask you to share your password. A good practice when dealing with any sensitive information by telephone is to hang up and call back using a known telephone number. The same practice should be applied to hyperlinks in email or web pop-ups, which can be used either to collect sensitive information, or as a gateway for criminals into a secure network.
- One user, one password — Never share passwords; change them frequently and pick secure ones based on phrases, using a combination of upper and lower-case letters, and substituting special characters for alphanumeric values. Example: Pa$sw0rd. Two-factor authentication (combining, say, token authentication or biometric scan with a user password) is highly recommended and is becoming the standard for administrative access.
- Practice safe social media — Hackers are increasingly mining social media for personal details — from political party affiliations and hobbies, to travel plans and friends and family — that can be used to personalize harmful emails in order to get targets to click on them. A common tactic is for hackers to pose as a new contact following up on a conversation at a conference. This type of social engineering, also called “spear phishing,” has proven to be highly effective. Employees must be thoughtful about what they are posting and how that information could be used to target the organization. In a similar vein, network engineers should be cautioned against posting sensitive information such as IP addresses or configuration details to vendor support forums, the so-called “watering holes” where criminals have been known to lie in wait for unsuspecting prey.
- No unauthorized software — This is a common policy, but given the unpredictability of human behavior, many companies now routinely disable administrative access on company-issued workstations, phones and laptops. Given the trend toward remote access and “bring your own device” (BYOD), organizations need firewalls to segment secure systems from malware residing on user-owned devices. The use of USB sticks of unknown or uncertain origin should be prohibited.
- No access via shared public workstations — It is safe to assume that any unsecured public workstation — such as those at libraries or hotel business centers — has been compromised. Do not use these to log into corporate networks or sensitive sites such as your personal email or banking. Connecting to any unknown Wi-Fi networks, as well as inadvertently creating a personal hotspot with mobile device connected to a corporate network, can provide a backdoor avenue into the company.
- Don’t mix business and pleasure — Company phones and laptops should only be used by the authorized user, and only for business purposes. Children playing on company-owned computers have been known to inadvertently infect computers with malware present in many free online entertainment applications.
- Don’t forward work email to a non-work account — This is a common mistake, but one that should be avoided. The practice of auto-forwarding email from work to a personal email account or cell phone puts sensitive information on a potentially unsecure system and could violate regulations on privacy and data security.
Although these tips apply to all employees, I would note that executives are targeted at least as often as other employees, because of the greater access granted by their high-level security credentials. As with most policies and procedures, proper training, reinforced through repetition, is critical to success.
While we as security practitioners strive to design security controls to be seamless and not dependent on end users, we are still years away from not having to rely on the vigilance of the end user community. Each person needs to do their part to keep the organization safe. Finally, if inadvertently you fall victim to a cyber attack, immediately report it to the proper channels. Bad news does not get better with age, and prompt action can limit the damage from an attack.