When you are on the job – whether it’s at a corporate office, local restaurant, healthcare provider, academic institution or government agency – your organization’s online safety and security are a responsibility we all share. And, as the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two. Week 3 will focus on cybersecurity workforce education, training and awareness while emphasizing risk management, resistance and resilience.
Effective security begins with awareness by each and every person inside an organization regarding what they can do to ensure online safety at work. From the newest hire or intern to the chief executive, every employee has the ability to harm or weaken the security posture of the organization. Software and hardware solutions are a great start but can only go so far. Common threats including social engineering, phishing attacks, and abuse of privileges circumvent traditional methods of detection and prevention provided by these solutions.
It’s everyone’s job to ensure online safety at work, accomplished by building a corporate culture that emphasizes cybersecurity, strengthening behavior toward a better security posture. Components of a cybersecurity culture involve the right mindset, leadership actions, training and awareness, and policy reinforcement. This week CSIAC will dig into these common threats to learn how to prevent attacks from occurring and teach organizations how to build a security-focused corporate culture in which everyone is responsible for their actions.
Your role in Ensuring Online Safety
Bring Your Own Device (BYOD)
The lines between our work and daily lives are becoming increasingly blurred. An example of these blurred lines is the use of personal mobile phones in corporate environments. Most employees will read work emails, write and share important documents and have their corporate office network settings saved on their devices. All of this can be very convenient to the employee, but with convenience comes more possibilities of vulnerabilities and threats.
General users should understand why organizations may put controls in place to better secure their personal devices. It is common for organizations to create policies of what is and is not allowed on devices. Lists of allowed applications, websites, and social media usage will be given to users to sign off on, agreeing that they will follow company policy. Furthermore, IT departments frequently limit the use of devices by requiring approval, installation, and/or remote wiping software and antivirus before they can connect to the internal network. Controls such as allowed applications and approval of devices is not to put in place to inconvenience users or spy on devices, but rather to prevent unauthorized devices from connecting to the office network. Having the ability to remotely wipe all data on devices if lost or stolen can prevent important documents or information be placed in the wrong hands.
In addition to reading through, understanding, and agreeing to policy, users can take additional steps to ensure safety. As a user you can help ensure the safety of your corporation by keeping your device up-to-date and having some form of antivirus on the device. Yet, the most important thing to do as a user is if you have a question about whether or not to connect a device to the corporate network is ask a member of the security/IT team at your organization. IT staff will let you know if you can connect the device to the corporate network and if any other steps must be taken once the device has been connected.
Corporations have multiple reasons to be wary of employees’ personal use of social media at work. Not only is it a time waster, but it is also a security risk. Employees must consider what they post, especially if it contains sensitive data. Attackers may use the data posted online against individuals and the organization that they work for. For example, they may use social media to learn where the employee works and who they work with to map out an organizational hierarchy. In addition to learning information about the corporate structure of organizations, attackers will use what individuals post on social media to guess employees passwords. Details such as employees’ interests, family, birthdates, and pet names can all be gathered from posts and used to break into accounts. To limit the ability of malicious outsiders gaining information about the company and the employee users should review their social network connection and consider who is being added to their social circle.
Perhaps the area that general users have the most control over is the passwords that they use to log into their accounts. Users are responsible for choosing adequate passwords and keeping those passwords safe. Most organizations will have policies in place that require a certain amount of characters, numbers and special characters during password creation. These attributes can help guide users into making more secure passwords. Additional actions such as enforcing password history, setting expiration dates, and enabling two factor authentication (2FA) can add to the security posture of an organization. Lastly, as obvious as it may seem, DONT SHARE PASSWORDS.
With how common phishing attacks have become, it is important that users fully understand the security risks associated with email. A basic security precaution users should always check is who the sender of the email is. A common tactic used by attackers is to send the email as if they were a member of the IT department or management. Attackers will rely upon users trusting individuals who are hierarchically above them or those with more IT knowledge than them and follow any instructions provided without question. In smaller organizations, users should go talk to the IT staff or management in person, while those in larger corporations can send an email directly to staff (do not click reply on the message in question) to verify the authenticity of emails requesting. Common malicious emails usually ask for changes to computers be made or external links be followed.
Workers commonly do not understand that the messages that they send through email are in cleartext. What this means is that if an attacker is monitoring the network they can easily read the content of emails. Sending a message through email is like speaking to someone at the office water cooler, if someone is listening they may hear you. Though, in addition to coworkers, there may also be malicious outsiders hiding in the rafters or around the corner that you cannot see. The dangers of malicious individuals listening for unencrypted network traffic is escalated if employees are connecting to public Wi-Fi, either knowingly or unknowingly. However, users can take steps to help keep messages “secret”. Popular email clients allow users to encrypt messages, ensuring that the sender and receiver’s conversation is better protected against eavesdropping. As a rule of thumb users should never send sensitive data in an email, but if they have to, they should ensure that the message is encrypted.
Increasing Employees Training and Awareness
Training and awareness is key to improving the cybersecurity posture of an organization. Effective cybersecurity training and awareness revolves around clearly communicating to users what they need to look out for. Employees need to know the appropriate responses to questionable activity when it is spotted.
However, just as important, is not losing the interest of those being trained. When providing training to employees, organizations should first assess employee’s current level of cybersecurity knowledge. It is essential to train users at their level. If training is too basic and already understood, employees may become bored, not take it seriously, and feel like it is not worth their time. However, if the material is above the skill level of the employee they will become frustrated and not comprehend the training resources. By tailoring training to the employee’s current level of knowledge and ability, users will stay engaged with the material presented to them.
Cybersecurity training for users must not be a one-time thing in an organization. Training must be frequent so that the material and ideas presented to users is reinforced and tested on a consistent basis. As mentioned earlier, it is essential that users know what to do when they are placed in situations in which their data and company data is at risk. To train users, they can be placed in situations that mirror real-life (in which role-playing is required) or situations in which the outcome is controlled. However, it is important that the training sessions are not known about by employees in advance. For example, trainers can hold phishing tests in which users are sent phishing emails to see if they open risky links or conduct USB drops to determine which/if users will plug those drives into their computer. Individuals who take the wrong actions during these tests can go through additional training focusing on what it is they did wrong (without singling out employees). Conducting continual training will keep the lessons learned from materials fresh in employees’ minds.
Lastly, when trying to improve security awareness and training, organizations should realize that there is a variety of different forms of training, each of which has their own strengths and weaknesses. For example, training can come in the form of emails, memos, posters, presentations, CBT (computer-based training), and reading. Emails and memos can be digested quickly, posters can be seen on a continuous basis, while computer-based training may be in depth, it may also take the longest to complete. To be effective, training should be presented to employees in multiple forms to reinforce the lessons to be learned and to provide users with options on how they would like to receive their training.
Unfortunately, training is also usually the first to go in times of financial trouble or time crunches. If there is one takeaway organizations should learn from this article is that training and awareness must be stressed regardless of time or budget constraints, as the results having untrained users can be disastrous. It will cost an organization much more to respond and recover after a cyber incident than it is to train employees and stay on top of the latest cybersecurity trends.
Promoting a Culture of Cybersecurity
An organization must build a culture centered on cybersecurity in order to emphasize, reinforce, and drive secure user behavior. Components of a cybersecurity culture involve the right mindset, leadership actions, training and awareness, and technical and policy reinforcement. Having the right mindset will increase readiness to quickly and accurately respond to cyber risks. During the process of creating and embracing this culture, leadership must set the example for others to follow.
Often overlooked is management’s role in the security posture of an organization. Management’s primary responsibility is to emphasize the importance and value of cybersecurity to the organization. They are the individuals who are in a position to convey why cybersecurity (in addition to other corporate goals) needs to be focused on. One successful attack could do damage to a company’s reputation and potentially put them out of business. Employees are used to hearing about cyber policy and procedure from IT staff and cybersecurity professionals. However, when discussed by the manager, employees are more likely to take cybersecurity seriously. Management should discuss cybersecurity with employees so that they know what his/her intentions are and what is expected of them. If users sense that management has not embraced cybersecurity education, awareness, and best practices, it is very likely that training and awareness programs will fail.
In addition to emphasizing value, managers can provide insight to IT staff that might otherwise be overlooked. Their position and experience in the company place them in an ideal position to know what is most valuable to the company. In promoting a culture of cybersecurity, managers should ask questions to members of the tech team to learn why decisions have been made and how/why the security controls have been put in place. By identifying what is in place, managers can help security staff understand where controls fall short. Continued input gets everyone involved in discussing cybersecurity, ensures its importance is not forgotten, and makes cybersecurity a team effort.