What is the number one threat to your information technology systems? No, it is not a malevolent spy deep in Russian territory trying to steal your bank account. Nope, also not your competition’s seedy employee looking for a new product design. And no, it is not a teenager getting ready, so he can brag to his friends. These are threats, and their varied motivations are the most common reasons for hackers to attempt entry into your data systems. But the top threat is the one already inside your business – the employee who does not lock the door sufficiently or hears a knock on the door and opens it.
Employees are not usually malicious as a part of the breach that occurs; they often don’t even realize they are doing it. They are busy, focused on the important tasks of the day, and they pop-up window just said an issue had been detected with their PC, and just “Click Here to Fix it”, but clicking is like opening the door to the warehouse, and one of those threats listed above walks in and has free access. Or the same busy employee likes to get logged in quickly, and does not want to remember a long password, when a short one lets them get in faster, so they key in the tricky, “who would guess this?” password of “123456” (the most common password of 2017) and log in.
A recent study found that negligent employees are the number one cause of cybersecurity breaches. The lack of employee awareness about good IT security is an even bigger impact with the rise in mobile device computing, so a lost cell phone or tablet allows access to corporate systems. No amount of technology like firewalls, security patching, anti-virus, group policies, etc. will stop an attack when the user with access opens the front door.
The Remedy: Train Users in IT Security
They need not be experts, but they should understand the importance of IT Security, what some common best practices are, and what an attack looks like.
Keystone offers this training for our clients in a fun, friendly lunch and learn. This is important because it makes them aware and allows them to interact with our cybersecurity experts about things they see in real life. We cover two main areas:
- Types of attacks and best practices to stop them.
- What to do if you think your device has been compromised.
We want users to know what a valid request is, and what to do if they have a sinking feeling they just clicked the wrong button. Users should know we are not looking to place blame, but we are trying to secure the environment quickly.
In our training, we cover:
- Social Engineering, or as a famous hacker once said: “…much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.”
- Safe web browsing habits
- Email Compromises
- Phishing and Ransomware examples
- Good Password Policies
Good Password Policies to Help the Number One Threat to IT Security
We can’t cover everything we do in training, but one area we can share here is good password policies. A poor password is SO EASY TO HACK, so follow this to improve your protection.
- Don’t use a weak password. Oddly enough, many people use a password of … ”password”
- Don’t use anything from the common password list.
- Don’t write your password down and store it somewhere (I recently heard about a president of a company who, upon receiving this training, sheepishly pulled a slip of paper from his wallet with all of his secure passwords).
- Don’t reuse passwords across sites, have a unique one for each site. Your bank site may never be hacked, but the community bulletin board with the same password will be.
We then wrap up with some suggestions for good patterns, and tools to make it easier.
Are We Really a Target?
You may assume that you are too small for anybody to bother with, but don’t make that mistake. The Keeper Security and the Ponemon Institute reported in 2017 that “More than 50% of SMBs experienced a ransomware attack in the past year.” With the ease at which hackers can attack many systems at once, the cost of an attack is not high compared to the results they can gain by finding a user who opens the door.
What Can We Do?
Great question. First, commit to the idea and get started. Even once a year training and a quick refresher quarterly are helpful. Tools can be helpful too this but engaging an IT Services company in providing this is a great start, as they see the latest issues and attack methods. Keystone maintains relationships with our clients and users and sees the attacks (many which the user is never even aware of), and knows the systems and proclivity of the users to click the wrong thing. This allows real, personalized training and that helps reduce risks significantly.
Call us today to see how we can train your users in IT Security!