Most of us have goals for 2017 in place at this point, but we want to touch on one that doesn’t usually get much attention yet has a huge impact: training. And we bring it up in the context of the attacks we see everyday on company data and resources, particularly with the devious use of social engineering.
While there are devices and applications like firewalls and antivirus software that help to protect networks and computers, employees remain the largest security hole. Unfortunately, there is no sure-fire way to shore up this security hole short of denying access to the Internet and company resources – certainly not a sustainable business practice.
We can, however, train our employees on security best practices to help bridge that gap, and it can be done in a way that is not time intensive or painful. Most of us have kids and/or animals at home and have probably struggled with getting them to take medicine. One of the easiest ways we have found to overcome the problem is hiding the pill in food so they never realize they took the medicine and just get to enjoy the effects of feeling better. The same can be done with security training.
By breaking communications up in to smaller tidbits — targeting specific threats, building it in to new employee training and just touching on the topic during employee meetings or reviews — will help to continually reinforce the mentality. When December 2017 hits and you start to look back on the year you can sit back and appreciate a more security aware company.
What next?
Doing a quick Google search for security best practices and training opens a black hole that we can spend hours diving down. Stop. Here are the most common types of attacks employees will run across in their normal day-to-day activities and some options for each:
Phishing:
We often see someone use an email that mimics your company email to request information or to take some action. An example could be receiving an invoice from accounting@compamyxyz.com instead of accounting@companyxyz.com. A lot of us are so used to speed reading emails that we miss that the first email has an “m” instead of “n” in company.
The easiest prevention methods for these types of attacks are:
1. If you get a request that doesn’t seem right or involves large sums of money, reach out to the requester either via phone or in-person to confirm and get details.
2. Do not open attachments or click on links from people or companies that you’re not expecting.
3. If you are an Applied Tech client and there is ever a question or doubt, contact the Applied Tech help desk.
Websites: Navigating the internet can be risky as well. A couple rules of thumb with site navigating:
1. Do not click on links through third-party sites if you need to navigate to important sites like banking, email, etc. Type the website directly into the address bar or use a reputable search engine like Google and search for the specific company and navigate directly to their site.
2. Nothing good comes from clicking through the prompts that pop up from sites like “You’ve won a free iPad.” Clicking okay or cancel can start malware installs and other hacking. If these windows come up, its best to try and close the windows from Task Manager.
3. Applied Tech, Microsoft and other reputable companies should never pop up a window prompting you to call a number like 1-888-Get-Help or any other number. Applied Tech’s systems will not prompt you to call us. Depending on your security settings, you may get a pop up or notification when an Applied Tech employee connects to your machine but they will notify you when connecting.
4. If anything comes up that is suspicious, you’re not sure how to handle or just doesn’t feel right, call the Applied Tech help desk.
Passwords:
Everything has a password and it can be a hassle to remember them all. One of the biggest password risks out there is using the same password for everything. If one password is compromised, it could compromise any other system that uses the same password. There are easy ways to manage this:
1. Use different passwords for each site, portal or application. Most will not prompt you to change your password over time, but a good rule to remember is to change your passwords at least once every 90 days, whether you are prompted or not.
2. Use strong passwords that do not use full words (myCarisBlue), key words that are personal to you (myDogFido) or common passwords (password1). Passwords should be a combination of characters (upper and lowercase), symbols and numbers. If you want a password that is strong but easy to remember you can always convert words like myC@r1$Blu3.
3. Having a lot of passwords is going to make you want to write them down, have a word doc on your desktop or a notes file on your phone. Do not do this. If you struggle to remember all your passwords, try using a password vault like KeePass or Roboform. They let you store your passwords in one place and have a single strong password that you need to remember to access them.
4. Think about activating multifactor authentication (MFA) on sites or applications that offer it. This will prompt you not only for a password, but also for a secondary password that is generated from an app on your phone or some sort of usb key. This secondary password changes after each use or set period and makes it harder for others to try and hack your account. Even if they manage to guess your password, they still need to have the secondary authentication.
Working from home/Bring your own device:
The last area to consider is how you access work resources from non-company machines. Everything we do to protect company assets can be undone if your home machine is infected and you try to access your work network from home. Here are things to consider with remote workers or those who use their own devices to conduct business:
1. Make sure the home computer has anti-virus. There are number of good solutions on the market that are inexpensive. Webroot, Kaspersky, and Trend Micro to name a few.
2. Require VPN access and remember to disconnect the VPN connection when your work is completed.
3. If you suspect your home machine is infected or not working correctly (odd pop-ups, slowness, etc.), have an authorized computer repair service come check it out before using it for work. DO NOT use free online repair/tune-up programs or services, as these can lead to infection and further issues.
Now whether you send out a mass email, build these into existing Internet and email usage policies or have conversations with your employees around each one, we would recommend crafting training around this. IT Security is a job responsibility of all employees, whether they are an internal IT resource, C-Level business representative or anyone else within your organization.
Security training should not be a once and done initiative either. Think of ways to quarterly or annually remind everyone about these topics. You will find your employees will have great feedback and become security advocates protecting your clients, your data and your business. You or your employees may have additional questions. If they do, feel free to reach out to Applied Tech, we are more than happy to help.
Contact us at (608)729-1300
