While investing in cybersecurity solutions like firewalls, backup, and monitoring are essential to protecting your data from being compromised, focusing solely on technology is only half the battle. The greatest vulnerability will always be the employee. In order to protect your data, you need to give your employees the training to protect themselves. After all, when it comes to network security, your team is your critical asset. Here are four security lessons your team needs to know.
1) Personal Mobile Devices Can be a Security Risk Without Proper Precautions
An individual employee holds enough knowledge and has enough access to be a very valuable target to a cybercriminal. For example, a good employee probably has access to company data and email on their personal smartphone.
A lost or stolen smartphone can lead to your company and/or customer data getting into the wrong hands. Connecting to an insecure public Wi-Fi network without a VPN can lead to transmitted data being stolen. If the employee is lax when it comes to their own personal security, it opens up your business to more risk.
That doesn’t mean you need to ban personal devices, but you do need to establish policies to require them to be secure in order to use them to access company data. This is typically called a Bring Your Own Device (BYOD) policy, and some of these policies can be pushed automatically to employee phones before getting authorization to access company email and other tools.
A solid BYOD strategy takes into consideration that the mobile device is owned and controlled by the employee, but the company is still responsible for protecting sensitive business data. Properly established policies can prevent the mixing of business and personal data.
One of your training objectives should be to help your employees better understand how their mobile devices can affect the security of the network, such as why their devices may be a cause for concern. For example, many devices don’t enforce best practices for security “out of the box” and, in fact, some can’t conform to best security practices by design. Some reasons why smartphones and tablets can be insecure are:
- Manufacturers often don’t update their firmware for older devices, instead rendering them obsolete, but still in use. This leaves your network vulnerable when this unpatched device connects to it, creating an exploit to be taken advantage of.
- Downloaded apps can contain malware which can be used to compromise your network. Since many of these apps may not be blacklisted, your security protocols aren’t able to block them.
- Lack of proper password management, increasing the possibility of their device being hacked. Most IoT devices share common default credentials, which allow hackers an easy way to gain control of the devices, as many people never change their default settings.
Again, your business should definitely have a BYOD (Bring Your Own Device) policy already in place, to have a plan to address devices in the workplace. A BYOD policy details how outside devices are treated when they are brought into the office and connect to the network. For it to be effective, your team needs to understand how their own devices operate and convey this information to your IT department. Your IT team will develop best practices for them, including whether or not the devices should even be allowed access to the network.
2) Learn to Recognize Social Engineering and Phishing Attacks
Most Maryland businesses understand the impacts to their reputation as well as the financial penalties that can result from a data breach. Yet, despite all of the resources invested in security technology, most security breaches happen because of user error.
Social engineering (phishing) emails are the most commonly used tool to attack your team, and unfortunately they have a proven track record of success. To make matters worse, a team member doesn’t have to necessarily click on a link or download a file to expose your network. For some phishing attempts, all you have to do is just open the email or visit the website.
Your team can’t defend themselves from a phishing attack if they don’t know what to look for and if they can’t defend themselves, they can’t defend your network. Make no mistake, phishing emails can be incredibly sophisticated and it is easy for the untrained eye to be fooled by them. Take a moment to train your team how to spot three forms of phishing attacks.
3) Train and Enforce Strong Password Habits
Weak passwords and bad password habits are the root cause of some of the most infamous data breaches. It’s critical that passwords aren’t used across multiple sites, and that passwords are complex.
Establishing secure password policies on your network is a good start, but nothing stops the user from using their network password on their Netflix account. If Netflix gets compromised, then that password is out in the open.
Unfortunately, there is no easy way to enforce this other than training and stressing its importance. Education is critical here.
4) Let IT Handle IT
If an employee needs to accomplish a task that they don’t have a solution for, they might try to figure it out on their own. For example, if a salesperson needs the ability to access their proposals, quote templates, and slide decks while on the road, they might just upload them to a personal Dropbox account to get the job done.
Your business doesn’t control or protect this Dropbox account. Suddenly, you have lost your technical and security accountability to this salesperson. They had nothing but good intentions, but put the business at risk because they didn’t have a solution they needed.
This is called Shadow IT, and it can quickly put your data at risk or cause you to break regulatory compliances. If every employee is solving their own problems with make-shift solutions not designed for your business, not only do you lose control, but you can quickly fall into chaos when it comes time to re-centralize and clean up the mess.
Security Awareness is Key to Network Security
The best recipe for protecting your data requires your team to understand network security including the variety of methods used to compromise your network. Whether it’s viruses, obsolete hardware and software, or just human error, the best method to secure your network and data is to have a knowledgeable team.
Your team is your greatest most critical asset, but only if you give them the wisdom they need to support your business. At Dresner Group, we understand that many businesses may not have the expertise needed to train their team. If you’re not sure if you have the tools necessary to ensure your team is ready to defend your network, take advantage of our security awareness training service.
For more information about our network security solutions, call us today at (410) 531-6727.