A chain is only as strong as its weakest link
Approximately 400 million malware attacks were executed across the world this past summer alone.Businesses continue to be hit harder and harder by increasingly sophisticated cyber-attacks. While many attacks are perpetrated from outside company walls, the reality is that the most looming threat comes from within: the employees. They are the most significant point of failure in terms of security vulnerabilities. From phishing attacks luring employees to click suspicious links that contain spyware, to weak passwords and leaks on social media – all attack vectors can be avoided with effective cybersecurity awareness training. The idea that a company could lose its entire reputation as a result of inadequate or nonexistent training needs to become a thing of the past. There’s far too much at stake to forgo training. If a company cannot train employees to protect themselves against cyber threats, how will those employees be able to help protect the company?
First and foremost, employees need to be trained to identify attack vectors. The most effective attack vector, and still the most substantial threat to Google account security, is phishing. For a detailed explanation of phishing, see Align’s article, “Something Seems Phishy.” In the early days of phishing, emails were highly suspect from recognizably dubious senders, but today they have become extremely convincing. It is for this reason that every single email received should be opened with caution.
Employees should be sent mock phishing emails to ensure that they can find the signs of a suspicious email. Each time an employee successfully identifies a phishing email, the subsequent phishing tests should increase in the level of difficulty, improving an employee’s ability to recognize telltale phish signs. Basic phishing identification tactics must be instilled in users: scrutinizing the address and domain names of senders, not haphazardly clicking on embedded links or attachments, keeping an eye out for spelling mistakes or grammatical errors and knowing that emails from legitimate sources will never ask you to send out user credentials or personal information.
Another attack vector is unsafe websites. Employees need to know that navigating to dubious sites and downloading at random can expose their entire company to spyware. Spyware, which aims to gather information surreptitiously, can be downloaded onto a machine without user permission or knowledge. Spyware can remain hidden for a while before it is discovered, and will undoubtedly steal and potentially profit from compromised data. Additionally, malware that is self-downloaded and executed from suspect sites often comes in the form of worms. A worm is malware that is self-propagating, meaning it needs no form of user interaction to spread like wildfire throughout a network. This means that one employee who has received little or no training, who innocently clicks on what appears to be a new site, could lead to the undoing of an entire company.
In addition to being wary when clicking on obscure websites, employees need not turn a blind eye to software updates. Updates for your operating system, browsers and antivirus software contain security updates that address bugs and vulnerabilities. Applying security updates as soon as they become available is key to protecting your devices. The ultimate example of the improper application of security updates is Equifax. If Equifax had applied Oracle’s Critical Patch Update (Equifax Breach 'Won't Be Isolated Incident') to address the Struts vulnerability, released months before being hacked, they might have looked a little less flagrantly responsible for their downfall.
Password Security TIPS
The 2016 Verizon Data Breach Investigations Report (DBIR) reported that, “63% of confirmed data breaches leverage a weak, default, or stolen password.”
It goes without saying that employees need to abide by strong password rules. Here’s a brief checklist of password best practices:
Photo Credit: © sdecoret - stock.adobe.com
- For a password to be considered “strong,” it should contain a combination of numbers, upper and lowercase letters, symbols and include a minimum of 8 characters
- Writing a password on a post-it and sticking it to your machine is unacceptable
- Passwords shouldn’t be easy to guess
- Change passwords routinely
- Never keep the default password
If you are envisioning a hacker typing and guessing individual passwords, think again. To give you an idea, a brute-force attack is one that simply tries all possible combinations of passwords.
- If a modern, somewhat slow computer can calculate 3,000,000 password variations in 1 second, it can crack a 6-character, single case password in 103 seconds, clearly making the name of your dog inadequate (266 password variations/3,000,000 password variations per second= 102.97 seconds).
- On the other hand, at this rate a 10-character password that is alphanumeric and contains special characters would take 208,095 years to crack, making this approach utterly useless to a hacker.
Testing and Enforcement
Cybersecurity training can be tedious, but it doesn’t have to be. Employee education modules can be crafted to not only be engaging, but to improve information retention. Effective security awareness training should cover the identification of risks, threats, mitigation and remediation. Employees should also be tested and retrained on educational models in a variety of formats to offer convenience and 24/7 access. But how can you make sure your employees are making progress? Reporting of education, retention and performance can be provided to those managing employee education.