How great would it be if we could walk into a store and buy cyber security off the shelf? Such convenience is a dream, but we can all dream, can’t we?
However, cyber security cannot be bought as described above, but must be taught. This brings us to the inherent threat in organizations – the human factor.
When one talks about threats in this respect, we tend to look at external threats affecting a company.
The focus is on external threats and how to prevent the organization from falling victim, but the real threat or the weakest link is the employee.
Today, we will focus on this ‘weak link’ and ‘strengthening’ it with education. Employee education is the key and it should not be overlooked. “Good cyber security cannot be purchased; they can only be obtained by educating employees.”
The sad reality is that employees are not receiving adequate cyber security education. As reported by SungardAS (a US disaster recovery and business continuity services provider), employee behavior is one of the biggest threats to company cyber security efforts. The major concerns are that of employees who are careless with their mobile devices (an integral tool in business – communication, phone calls, business e-mails; storing of documents, accessing cloud services, and the list go on), who do not pay heed to good password management, and who click possibly malicious links in their e-mails without regard to the consequences of their action.
The weakest link lies between the keyboard and the chair. What is to stop the employee who is determined to click that link in the e-mail without due consideration? Therein lays the ‘invitation’ for malware to come in. It is the ‘opening of the door’, so to speak, that can only lead to disaster. This has directly resulted in many security breaches over the past twelve months, initiated by users clicking a link in phishing emails. Education can reduce such behavior though not necessarily eliminate it.
Why cyber security education? Employees have to understand the consequences of their action.
1. To protect organizational data and information related to customers and suppliers.
2. Prevent downtime and loss of productivity. The cost of downtime can be very high and productivity is affected if attacks by cybercriminals impact the use of computers.
3. If the customer’s data is stolen, the company’s credibility is at stake. This will in turn impact the company’s ability to attract new customers and retain current customers.
4. Employee’s careers and jobs may be stake if the company has to pay a fine for loss of customer’s data.
5. Employees must be made to understand that what they do daily matters; that ultimately they are the ones that can prevent most cyber attacks.
“The best security practices come down to common sense, not sophisticated technology”, said Ashley Schwartau of The Security Awareness Company.
Recommendation
1. Incident response – knowing how and to whom to report incidents to.
2. Passwords – knowing how to create strong passwords and changing them regularly.
3. Malware – understanding the types of threats and how to avoid them.
4. Safe surfing – be aware that you stand between the company and the outside world. You represent your company when online.
5. Phishing and Social Engineering – recognizing phishing attempts and social engineering attacks.
6. Mobile and the Cloud – files stored in cloud are not necessarily immune to security threats. Treat mobile devices as you would any computer.
7. Preventative care – installing anti-virus, regularly backups, patching software and operating systems when available.
8. Non-Technical and Physical Security – sensitive documents to be shredded when no longer needed, staff and guest require identification card / badges. Keep track of all devices.
9. Privacy – understanding how identity theft occurs and how to protect against it.
10. Policy – knowing and understanding security policy and the resulting consequences if the security policy is not followed. Where to find the security policy if in doubt.
Credit: The Security Awareness Company
Source
1. Forbes.
2. The Security Awareness Company.
3. Infrastructure Intelligence (pic 1).
4. Google Play (pic 2).
The Week That Was
1. Dyre Wolf Malware – a variant of Dyre Trojan, it has evolved to become more sophisticated and which targets organizations, where the big payout is.
2. Anonymous – the infamous Anonymous group threatened Israeli websites, vowing an ‘electronic holocaust’ against Israel with the promise to erase the country from cyberspace. There were a few hacking incidences against Israel were noted. This being the 4th cyber attack against the country.
3. Malicious Google Chrome extension – “Webpage Screenshot” advertises itself as a way to take screenshots of web pages is doing more than that. It is also collecting more than 1 million users’ browsing details in effort to sell them to 3rd parties.
4. New WordPress plugins threat – The FBI warns WordPress of defacement by the Islamic State, by exploiting vulnerabilities. This will enable the attacker to gain access to the website, bypass security restrictions, install malicious software, manipulate data and create accounts with full user privileges.
5. Crypto ransomware – On the rise with many variants, bringing their own tactics to ensure victims pay the ransom.