A long time ago in a galaxy far, far away, I was not a Security Consultant. I was a Chef. And I worked as a corporate Chef for an organization that required very long, complex passwords that had to change every 90 days and could not match your last 6 passwords. I was super busy, usually stressed, and the password expiration notice came up at the most inconvenient times. This made it frustrating and felt like a hassle. At this point, I did not understand the importance of keeping a password this secure, why my computer kept bothering me about updates, or why our security guards kept grilling my friends and vendors when they came to see me. I just didn’t realize how necessary it was for this particular organization to protect its data. And no one ever explained it.
Fast forward ten years later, and boy do I understand now. I think about how I felt in this situation often, and how little it might have taken for me to comprehend the reasons behind it. Although technical people may have a better understanding, it can be confusing and cumbersome for both technical and non-technical users alike.
The human element plays such an important part in an organization’s security defense. A good system can fail as a result of employee carelessness, indifference, frustration or resentment. Time and time again, humans expose vulnerabilities due to mistakes, ignorance or deliberate actions. This makes for a challenge with an almost unlimited number of variables. A user that is normally security aware can be having a bad day and make a mistake in a distracted moment. And considering the stresses of the last 18 months this may be more likely than ever. Top that with some work from home risks and garnish with opportunistic bad guys, and we have a recipe for attackers to snack on some malicious, delicious exploits.
So how do we reduce this risk? Training is the first line of defense. But the easiest solutions to check those boxes can be expensive, impersonal, and not always effective. Whenever possible, try to get someone in front of your people and give real world scenarios they can relate to. Employees can be the biggest liability or the greatest asset when it comes to protecting sensitive information. What are the real risks to them, their jobs and their clients if your organization were breached? What are the viable threat vectors? How can you empower employees to help keep data safe? How can you implement creative incentives to encourage them to be proactive? The answers to these questions can be very different between organizations.
I’ve listed some of the threats us humans are vulnerable to below. How to best build awareness and protection is going to be a more intimate decision. The size of the organization, budget, time constraints and a number of other factors can create challenges. Check back in with us soon for more information on how we may be able to help guide you and your employees in a safer direction.
- Phishing Emails – Unsolicited emails and invitations to click on unknown links should always arouse suspicion.
- Password Security – A long, strong password policy is paramount.
- Removable Media – USBs, CDs, and so on are useful tools for criminals and should not be trusted.
- Safe Internet Habits – Users should know why HTTP and HTTPS are different, the dangers of downloading untrusted or suspicious software, and how to recognize it.
- Social Networking Dangers – Sometimes the smallest details can be pulled from pictures, comments and seemingly innocent interactions and used to craft targeted attacks.
- Physical and Environmental Security – Employees should always feel comfortable pointing out damaged, dangerous, buggy or missing controls.
- Clean Desk Policy – Sticky notes, printouts and files containing sensitive information should not be left out in the open.
- Wi-Fi – Public, non-password protected Wi-Fi is quite simple to intercept and unprotected sensitive data should not be accessed through Wi-Fi.
- Social Engineering – From tailgating to impersonating IT, this type of manipulation of users is common and effective.
- Updates – Don’t ignore those pop ups. They help patch security flaws and protect data in addition to adding new features.