Cyber-attacks and the resulting data breaches are all over the headlines. This year, we've seen the Anthem breach, a billion-dollar cyber-heist that affected up to 100 banks worldwide, the OPM data breach, and the Ashley Madison breach, to name a few. Cyber-attackers exploited various methods – viruses, malware, etc. – to grab information from these organizations, but a common thread running through major breaches is human error, whereby people are being fooled into giving thieves back door access into critical information systems. The Anthem breach and the bank heist, for example, are thought to have originated with phishing attacks against employees.
While cyber-attackers are becoming ever sophisticated at stealing information from business systems, gaining entry into those systems is relatively easy because employees, vendors, and sometimes customers are not very sophisticated at keeping them secure. You can't stop mistakes and you can't stop breaches all of the time, but you can practice breach resilience, and that will keep more of your data safe, more of the time. Let's look at some of the basic security concepts and practices your employees, users, and customers need to know.
Practice basic hygiene
The foundation of a breach-resistant user base is a culture of security: not just periodic training, but ongoing communication about threats, risks, and best practices. Brian Contos, chief security strategist for Norse, says that building security consciousness takes collective effort. In a recent Dark Matters article, he recommended holding frequent, interactive training to educate the workforce on current threats and defense tactics, and which includes executives, management, and employees together to share experiences and help educate each other.
Awareness programs should also promote basic security hygiene reinforced with ongoing information about new threats and the consequences of poor security practices. At a minimum, every user needs to know that data theft and cyber-attacks are a daily concern, and that what they do in their personal lives can affect their privacy and financial well-being, as well as the organization's.
Don't go phishing
Phishing, especially targeted, or "spear" phishing is typically the first stage in a multi-stage cyber-attack. But you can fight back: Here are some basic tips from US-CERT that every user should know.
- Don't open unsolicited emails, click on links, or open attachments in unsolicited emails.
- Be suspicious of claims that are too good to be true. Typical examples are weight loss claims, sexual enhancement claims, and people claiming to want to give you large sums of money. These are often easy to spot because of poor spelling, wrongly used legal terms, and other mistakes.
- Be careful in responding to or providing information in response to unsolicited emails from banks, the IRS, or other organizations, and don't fall for scare tactics. Anyone you deal with already knows your name, your bank account number, your medical ID number, etc. They won't call asking you to "confirm" it. If users aren't sure about an email, they can call the organization directly to check whether the email is legit.
Phishing also happens on social media, so warn users not to share personal information with someone they don't know in real life, and if they receive an unusual communication that seems to be from someone they know, call that person and check it out.
Practice mobile safety
Employees need to understand that their personal mobile devices face the same threats as any other computer. IT departments need to conduct ongoing training and enforce mobile security best practices and habits among employees in order to keep their mobile devices secure:
- Always install OS and other updates with security patches promptly.
- If you bring your own devices to work, run security software on them.
- Don't download apps from non-trusted sources.
- Avoid storing business data on personal devices.
- Don't share a device used at work with a friend or family member. Installing apps is easy, and kids don't think twice about downloading any app that looks appealing.
Stop visual hacking
Visual hacking is exactly what it sounds like: people stealing information by looking at private information on a screen or on paper or by watching someone enter it on a computing device. To combat visual hacking, users need to be trained to be aware of their surroundings. They need to minimize exposure by:
- Working with their backs to the wall when in public areas.
- Using lock screens and secure work areas when leaving their desks.
- Reporting suspicious activity right away.
No foolproof solutions
Information security is costly. Not every organization can afford dedicated infosec staff, and security and privacy decision-makers need to consider the costs and benefits of new security products and services.
Regardless of your security and privacy budget--or lack of budget--all the experts and technology in the world won't protect your organization's information if the rest of the staff and users leave the door wide open to cyber-attackers and thieves. Your immediate best investment is to turn every person who deals with your systems into a security person.
If you can stem the tide of user mistakes and if you can build breach resilience into your workforce, your business partners, and your customers, you'll lose less information and less often. You can start today with your staff.
Rick Kam is co-founder and president of ID Experts and Doug Pollack is chief strategy officer at ID Experts.