Imagine that you decide to beef up the security in your home. You install unbreakable glass in the windows and make them lockable. You install cameras everywhere. You install movement detection with back-to-base monitoring. You employ security patrols.
And then you go out and leave the front door open.
That is what it can be like with your business’s IT security when you don’t properly address your largest attack surface – your end-users.
Here we present some tips about what you can do to deal with this number one threat. These can help prevent attacks, but remember that none of these on their own can prevent a cyber attack on your business. You should exercise these in conjunction with a complete employee cybersecurity strategy and as part of a greater security policy and operation.
Steps you can take
Firstly, a reminder about what you can do to help stop your security from being breached:
- Patch, patch, patch. Often updates to your software are to patch security holes that have been found. If you don’t install these patches as soon as they are available, you can risk attack. Hackers will jump on these vulnerabilities as soon as they are known, and use them to their advantage.
- If you don’t already have one, set up a proper and effective spam, surfing and malware trapping system.
- Use two-factor authentication.
- If all else fails, ensure you have good backups, and test regularly that the restoration of the backups works.
Remember that some spending now could save you much more down the track if your systems are compromised. According to IBM and the Ponemon Institute, the average cost of a data breach in 2020 in Australia was $3.35 million.
If all this is too much to cope with, talk to us about how we can help putting the proper strategies and infrastructure in place to lock down your business.
Educate end users
Now to how you can transform your team from a security liability to a front-line soldier in the war on cybercriminals:
- Develop proper written cybersecurity policies and processes for employees and other end users to follow. Make the exposure to these part of the onboarding process, and make the end users accountable for following these. Discuss these policies and remind employees regularly about them. It is important for them to be aware that they can be the weak link in the security chain if they don’t exercise constant vigilance. Include guidance around:
- Passwords – their length, strength, complexity, freshness, their use for multiple logins and their security
- Phones and other portable devices. What happens if one of these is lost and stolen?
- Leaving unlocked devices unattended
- Unauthorised software
- The use of external data sources such as USB sticks and external hard drives
- Customer data such as personal records and credit card details
- Giving access to third parties
- Unusual notifications such as changes to your suppliers’ bank account details
There are many more areas that can be covered, but that’s good start.
- Educate and test end users about the latest dangers of social engineering and phishing scams. This is the easiest way for cyber criminals to compromise your systems and so it is where they focus their most time. If you don’t ensure your team is knowledgeable on security threats, you can’t really blame them when something goes wrong. If you are updating your software against the latest threats, you should be updating your employees too. Share cybersecurity news with them, and think about a managed education program. Create good habits.
Stage a fake attack
A great way to train your end users is to conduct a fake phishing attack; for example, in a similar way to how you conduct a fire drill, you can generate an email that has the hallmarks of a phishing email and interact with those who respond to it to point out their error.
The best way to do this is with a third party vendor, who can create campaigns that helps end users come to grips with threats in an easily teachable way.
We can also set up up with a tailored education package for your employees.