Building a Security Mindset: Are Your Employees Cyber Savvy?
When it comes to data privacy and security, employees expect their employers to safeguard them from malicious attacks. That’s a nice idea but keeping your organization’s data and documents protected requires a team effort —extending beyond the IT department down to every department’s printers, copiers and faxes, and each employee’s desktop and mobile device.
Security breaches have been on the rise,at increasing costs to organizations. Headline-grabbing breaches are often aided and abetted by a harried staffer who:
Falls for a phishing scam and gives up credentials and other data that provides easy access to a network, data and documents.
Unleashes malware and ransomware with a single click on a link or attachment.
Hands over bank account information or makes direct payments to cyber criminals impersonating legitimate executives and vendors.
Exposes trade secrets and other sensitive information by leaving important papers at a printer.
Creates a gateway for hackers by leaving a network- or internet-connected device unsecured.
The costs of these mistakes can add up fast and may leadto drops in average stock prices, loss of current customers and potential loss of future ones. Additionally, companies may have to pay for post-breach activities like help desks, remediation and regulatory interventions. That’s why more IS and IT leaders are delegating cyber security responsibility across the organization and engaging individuals in being more effective watchdogs.
So How Do You Help Create a Culture of Security and Privacy in the Workplace?
Start by re-framing the problem to help employees realize they do play a role in protecting companies and themselves. Don't focus solely on the latest incoming threats. Most employees don’t realize they are often the real marks and enablers, erroneously assuming only higher-level people are targets. Often, average employees don’t believe that they deal with “sensitive information” or do the kind of work that’s of value to the bad guys. Using examples of large-scale security and data breaches that were deployed by a single low-level staffer will help them see why their vigilance is crucial. Once you’ve got their buy-in, offer training and awareness programs, and institute new policies and practices.
Teach Simple Tactics for Identifying Scams and Threats
Vigilance is easier than you think when employees know what to look for and what to do (or not do). Email is still the most popular entry point for cyber criminals, so that’s a good place to start. According to the FBI’s Internet Crime Complaint Center, called IC3, email-based threats have cost US businesses $1,629,975,562 in just two years. Avoid this by training employees to:
Safeguard passwords and usernames. Security breaches often involve passwords and other privileged credentials. Require employees to change usernames and passwords frequently and discourage sharing and recycling of these credentials.
Pay attention to URLs and email addresses. Many employees feel they don’t have time to carefully examine URLs and email addresses to make sure they’re legit. Criminals capitalize on this by using URLs and addresses that look correct at first glance, but in fact are missing a character or have an extra extension.
Look, for urgency and errors. Many fraudsters make intense and time-sensitive requests like “pay this vendor” or “give me the log-in data” hoping employees will skip important protocols or common sense to respond to an urgent request. Too often, it works. Another red flag: bad grammar, generic salutations and spelling errors.
Be careful with attachments. Opening or downloading attachments seems innocent until the act infects the entire company with malware or ransomware.Remind employees to just say no to attachments from people they don’t know or that seem suspicious.
Ensure Document and Device Security
Limit access to printed documents. In most offices, it’s easy for someone to grab papersoff a printer and walk away. Control access to documents by delaying printing until the authorized recipient is at the machine, requiring a PIN that’s entered at the printer to begin the print job, enable Active Directory or LDAP authentication, or deploy NFC access cards. You can even assign an expiration date for how long the job remains in the device memory. And don’t forget to restrict access to the printer, fax and copier settings and functions, too.
Safeguard digital documents. For scanned documents, require employees to convert the scan to a secure PDF and assign a PIN so the document can’t be opened without permission. Enable Transport Layer Security and 256-bit AES encryption to keep files sent over your network from being intercepted and compromised.
Secure devices on the network. The IC3 noted that more crimes are being committed via the Internet of Things, so device security is crucial. Unsecured printers, copiers and scanners are tempting to enterprising hackers. “Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam emails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks,” the Center wrote in a news release. It’s also imperative that your web server is protected with two-layer verification so only authorized users can access it from mobile devices and laptops.
Blending technology and training is the best way to boost data and device security in your organization. Follow these steps to enlist your employees’ help in guarding against fraud and cyber crime.
Want a printer-friendly version of this article to share with your staff?