It was early 2020 when, after a 6.4 earthquake, Puerto Rico’s Industrial Development Company Director Ruben Rivera received an email requesting a change to one of the government’s bank accounts.
He had recognized the email as coming from another employee of the national Employment Retirement System. Furthermore, Rivera had done these transactions before and didn’t question it.
He inadvertently transferred $2.6 million to a hacker’s fake bank account. The FBI froze the pension funds accounts, but it was too late. The damage had been done.
Employees Hold The Keys
An organization’s cybersecurity is in the hands of its employees.
Untrained and unaware employees can bring down an organization’s network, lose or destroy data, or cause the organization to be a victim of intellectual property (IP) or personally identifiable information (PII) theft.
Ninety-five percent of breaches result from human error, and eighty-nine percent of malware infections come from email (eSecurityPlanet), also from user error or carelessness.
Education should be the linchpin between an organization’s processes and policies, and employees should be aware of their responsibilities and accountability to the organization and the law.
Threat prevention and security software could be useless without it. An organization could also be legally responsible for an employee who, through error, carelessness, or intentional means, violates the law.
What’s more, a breach can damage a company’s reputation.
Users should be made aware of an organization’s cybersecurity policies, the threats an organization faces, how to be suspicious of phishing emails, how to notify security of a breach or incident, and other areas of security where compliance training is necessary.
Recognizing social engineering–being wary of emails and phone calls intending to exploit an organization’s vulnerabilities–should be an emphasis.
Incident response plans and drills are critical and should be done before breaches occur, not during them.
At regular intervals—monthly, quarterly, or yearly—an organization should cover the following areas for both remote and in-house employees:
Security Issues in Day-to-day Processes
– Train employees in the best practices for passwords, e.g., to never write down passwords in their work areas.
– Train employees on avoiding malware and viruses and how to safely browse the web.
– Teach employees that HTTPS should be active in their browser for the sites they use and whether sites are genuine.
Show them what a “typo squatted” site is, i.e., a site address one or two letters off from the true site name that a potentially malicious user has set up.
– If applicable, instruct employees to install only approved software and not use file sharing sites, especially for free games and software.
– Train employees in a clear screen and desk policy. Users should log off and use a password-protected screensaver when their computer is unattended.
– Teach employees to report USB drives they receive and not to plug them into their computers.
Security Issues for Data
– Train whoever owns organizational or confidential data on where it is located and how it should be treated in use, at rest, and in transit.
If applicable, the organization should prohibit employees from accessing sensitive data remotely. This data should only be available with authorization.
Employees should never send unencrypted sensitive data over email.
– Employees should lock up sensitive physical documents when not in use.
Security Issues for Devices and Travel
– Train employees to never leave devices alone or turn their backs on them in public. During travel, their devices should be with them or in a hotel safe.
– Train employees in how to use “bring your own device” (BYOD) or “choose your own device” (CYOD) devices.
Employees should not use personal devices for work, and no friends or family members should use an employee’s work devices.
– Instruct employees never to use public WiFi, but if they have to, they should use VPN to encrypt and keep their data safe.
Alternatively, organizations may want to instruct employees to use cell networks and not WiFi. Hackers can look at all a public WiFi user does, can get passwords and data, and could leave malware on their device.
The next time they are on a company network, their computer could spread malware to the network.
Security Issues for Working Remotely
– Instruct employees on securing their home network when working remotely from home. Home networks can spread viruses and malware into company networks connected to them.
– Instruct employees on creating a guest network at home for friends, family, and visitors. Instruct employees not to log in to organizational networks remotely without authorization.
Security for Social Media
– Train employees on how to use social media correctly, e.g., they should not use social media during work hours or with work devices and should not share company information on social media.
Social media should only be used for friends and family.
Security Issues with Hiring and Training
– Train human resources and talent interviewers to properly vet applicants, perform background checks and train new employees as they enter the organization.
– Instruct employees on how to adhere to organizational security policies and to report potential security issues when they see them.
Conclusion: Make It A Team Effort
The internet is an open ecosystem, so keeping watch over an organization’s users and network is better than denying all users access to data and services.
Employees who interact with your data and network should be an active part of keeping watch. Hackers and scammers look for the weakest link among an organization’s employees.
An organization’s ultimate goal should be to get all employees trained to the level where they become advocates for its security.
***
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.