What’s the biggest risk to an organization’s information security? Hint: it has little to do with the technology. Rather, it is the action—or inaction—of their employees.
Human error has become a major weak point today; one that is easily exploited by cyber criminals. In fact, almost 90 percent of cyber attacks are caused by human error or behavior. Therefore, it’s vital that businesses have some form of cyber security training in place to educate employees on the importance of protecting sensitive information and what malicious threats to look out for.
As an IT services provider committed to protecting your clients and their business, the task of security education and training falls into your hands. Keep reading to discover which essential elements you should cover when providing security awareness training.
Generally, a solid security awareness training program should cover the following topics:
- Phishing and Social Engineering
- Access, Passwords and Connection
- Device Security
- Physical Security
Let’s dive into how you can best educate clients and end-users on each of these topics.
Phishing and Social Engineering
Social engineering is typically defined as an attack that’s based on deceiving users or administrators into divulging information. Phishing, an attempt to acquire sensitive information (passwords, usernames, payment details) from an individual through email, chat, or other means, is a common type of social engineering attack.
The reason phishing and other social engineering attacks are so successful is because they’re disguised to look like they come from credible, trustworthy sources—forcing a sense of falsified trust. But, there are some tell-tale signs to help spot a phishing attempt, such as typos and misspellings, links containing a string of random numbers and letters, the email relying on a sense of urgency, or feeling like something if off about the information they’re requesting.
Pro Tip: Tell end-users to look out for these seven red flags!
How to Avoid Phishing and Social Engineering Attacks
What should your clients do if they think they’ve come across a phishing scam? Here are some best practices:
- Don’t click! Users should never click on a link, attachment, or reply with the requested information if they feel like something is not quite right.
- Inform the IT team or MSP. If it’s a legitimate scam, informing the right people and passing along that knowledge may help prevent it from spreading company-wide. Encourage your clients to forward the email to you to investigate, or turn to you for next steps.
Access, Passwords and Connection
Use this time to go over the different aspects of the network; from access privileges and passwords, to the network connection itself.
Your clients should be able to distinguish general users from privileged users, those who have elevated rights or access above that of a general user. Generally, privileged access is given to users who need to perform administrative-level functions or access sensitive data. Every employee should know which level of access they have—meaning which information, applications or functions they can and cannot perform and have access to.
On a similar note, employees should be thinking about the passwords they’re using to access the IT environment; keeping in mind length, complexity and whether or not they’re sharing those passwords or using them for multiple apps. There are a few best practices around strong passwords, including the length being at least eight characters, containing letters and special characters, and staying away from obvious information such as names and birthdays. Additionally, it’s wise to think about changing and/or updating their passwords every six months or so.
What’s sometimes least obvious to employees is that they should also be wary of the network connections they’re using outside of their home or work. Although the data on their device may be encrypted, it’s not necessary that the connected network transfers that data in an encrypted format—opening all sorts of vulnerabilities. What’s more, there’s always risk of the public network being tapped, which puts the data being exchanged over that network at risk. You should encourage end-users to only use trusted network connections or secure the connection using appropriate VPN settings.
In the era of Bring Your Own Device (BYOD), more and more mobile devices are entering the workplace, connecting the corporate network and accessing company data. However, this creates even more entry points for threats to come through. Therefore, it’s important for employees to ensure their mobile devices are securely connected to the corporate network and always in their possession.
The same threats that lurk over desktops and laptops are applicable to mobile devices. Arguably, tablets and smartphones could be seen as less secure because they lack pre-installed endpoint protection. Users should always be mindful of which websites they’re visiting, which apps they’re installing and which links they’re clicking on.
Cyber threats aren’t the only ones employees need to look out for. Physical security also plays a role in keeping sensitive information protected. Leaving a mobile device or computer unattended is a common mistake most end users end up committing unintentionally. If someone were to swipe an employee’s phone or log into their computer, all of the data and information that’s accessible via that device is put at immediate risk.
Below are a few best practices to help your clients increase their physical security in and out of the office:
- Lock your device before you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or the Power key) at the same time.
- Store documents in a locked cabinet. Employees should avoid having sensitive information floating around on their desk. At the end of the day, or before they leave their desk unattended, it’s always a good idea to stow company documents and the like into a lockable safe or cabinet.
- Properly discard information. When it comes time to get rid of those documents or files, be sure to properly shred and discard them.
Want more advanced cybersecurity awareness training? Experience Continuum Certify, a powerful new cybersecurity certification program for MSPs, at Navigate 2019 North America! Register here to save your spot for Certify.
By Lily Teplow
By Brian Downey
By Dave LeClair