Your company could have the best-in-breed technology, and a large team of well-resourced security professionals, and still end up as a target for a security breach due to human error. Perhaps an employee accidentally clicked on an attachment they thought came from their boss, or another employee handed over their login, mistakenly believing that they were getting tech support.
Ongoing vigilance, training and retraining is the only answer to address this risk of human error. Thankfully, with the right approach, it isn’t hard to keep your people on top of security best practices. Combine that with the right IT strategy and policies, and you can greatly mitigate the risk of breaches.
1. Protect your data
Most people understand that they shouldn’t take a photo of their credit card and share it on social media. However, those same people often won’t think twice about sharing a screenshot or video presentation with a third party outside of your organisation. If that media has information that was not intended to be shared publicly, there is a real risk of data leaks.
Your organisation should have a firm policy on how data is held and shared, and every employee should be trained on what information should and should not be shared with third parties.
2. Use strong password protection and authentication
The most common password is still “123456.” “Password” itself comes in at #4. While many employees are well and truly aware that they shouldn’t use simple passwords for their online banking, they fall into this trap when creating their work passwords. The perceived risk is less when it’s not their personal information at stake.
The only way to promote a healthy approach to security is to enforce, via policy, strong passwords, with regular mandatory password changes. There are enterprise-class password manager solutions that are available that can take the pressure off your employees trying to remember these complex entries (with the added benefit of keeping their password safely stored online, instead of on a sticky note at their desk, further undermining your security). It’s also recommended your business create an automated solution for handling the revocation of access to accounts once an employee leaves the company. One of the most vulnerable areas for companies are former employees that can still access their accounts, long after exiting the company.
3. Use a secure network
Your employees are probably spending at least some time working from home now. The problem is that home Internet technologies, such as modems or routers, do not generally meet enterprise-grade security standards. Your employees will often connect to external networks to do their work from public Wi-Fi hotspots, which are entirely insecure.
The best solution here is to mandate the use of a VPN for connecting to the company network via an encrypted, secure connection.
4. Beware of phishing
Your employees should be trained to recognise a suspicious email (especially one that has an attachment). Increasingly, hackers aim to disguise phishing attempts as emails that come from executives, or other important figures within the organisation. Be sure to set up a process whereby any phishing communication can be easily reported, or a suspicious email queried before being opened. It may also be prudent to create a warning system so that company-wide notifications of phishing emails can be sent out.
5. Have strong endpoint protection
The better examples of modern endpoint protection are those that are AI-enhanced. New cyber threats are released onto the Internet every hour, and anti-virus software that hasn’t been periodically updated could be inefficient in protecting against the most current threats.
An AI-enhanced anti-virus program can learn how to detect suspicious applications and data in real-time. Considering advanced software solutions such as this can help your business proactively quarantine your employee’s computers from such threats.
6. Have policies on the use of software
The use of non-authorised software should be forbidden. This will cause your IT team some headaches if the company also has a BYOD policy. Unfortunately, you cannot mandate how an employee chooses to use their own devices outside of work for personal purposes.
It may be helpful to explore technologies available that allow you to partition off parts of a computer, so that your employees can switch seamlessly between work and private use of the computer without exposing your broader IT network to unauthorised software.
7. Backup all files
It’s incredibly important for your employees to prepare for the likely eventuality that a breach happens. No matter how secure your IT environment is, preparing for the worst is part of security best practice. A data breach will generally involve lost files and a compromised environment that needs to be restored from backups.
Organising a two-tier backup system is recommended. The first “stage” of backups will be stored on the cloud or on hard drives, for quick access. However, that storage itself can be compromised, and that’s where tape archiving comes in. Restoring an IT environment from tape is a lengthy process (which is why it’s the last resort); but because tapes are stored offline and apart from the rest of the compute environment, they won’t be compromised, no matter how deep a hacker penetrates.
8. Routinely test the security environment
Finally, it’s important that you actually check the defences of your IT environment regularly. Penetration testing is a simulated cyber attack that an ethical security firm will direct at your network. It’s a service that has been specifically designed to root out and highlight vulnerabilities across your systems.
The most important thing to remember is that the biggest threat to security is complacency. If employees are allowed to get lazy with their behaviour online, then your network is exposed to the biggest risk. The only solution to this risk is ongoing training and the proactive monitoring of the environment to identify risky behaviours before they become the cause of a cyber attack.
For more information on the impact of human error on security, and to investigate how you could work with a third party to minimise risk within your business, contact Nexon today.