What Your Employees Should Know About Security?

1) Sending sensitive data to the wrong destination.

A 2008 AOL study found that 32% of people admitted to sending emails to the wrong person, in a more recent study it was found that number had climbed to 78%. This is a real problem and can create real issues with your customers and vendors.

Six Tips to Preventing Email mistakes by the Creative Group.

a. Give your undivided attention, avoid multitasking when drafting or responding to important messages.
b. Save the distribution list for last, when writing a confidential message wait until it is complete before selecting the recipients.
c. Take care with those you copy, think twice before you hit reply all and copy only those people who need to be part of the conversation.
d. Review it on a big screen, emailing on smart phones and small devices can increase the likely hood for mistakes and change the intent of the message.
e. Check Attachments, confirm any attachments by opening them again prior to sending them.
f. Keep it professional, keep in mind electronic messages are easily forwarded, and copied and company email can be monitored.

2) Clicking on unknown links or funny pictures.

There are real risks when it comes to links and pictures whether it is on websites or email. Nowadays websites and email systems use the same basic code so there is very little you can do on a website that couldn’t be done in an email at the same time. This would include links, active pages, HTML coding, and background tasks. A couple of the most common email risks come with Phishing, which is when you receive an email that takes to you a fake website. Once on the site you are asked to enter sensitive data about yourself or an account. The most common phishing trick sites are sites that look like they are your bank, or the IRS, or somewhere that you may commonly do business. Malware and viruses, which would include Ransomware, can come in the form of a picture, a link, or some other executable type file. In some cases today, they may not execute with the primary file but be a sub file to the file you downloaded that executes independently of the first file.

How would you know what links to click on and which ones not to? If you just ordered something online, you should be expecting to get a confirmation email and shipping information. Take the time to look at it first and make sure that it is what you were expecting. Another one could be that you just signed up for an online account, you should be expecting to get an confirmation email from them, however they should not be asking you to verify the information you should already know and have already entered that into the registration form.

What should you avoid? An unexpected email from your bank asking you to log in and verify your information or account. Unless you initiated that activity it would be recommended to assume the unexpected email is a fake and you should delete it. An unexpected email from a friend asking a question that would not typically be in character for them or if they are asking you to verify personal information that a friend should already know.

If you need to verify the person sending you the email is real or not, or if the link is real or not, there are a couple of things you can do to verify. In the example of the bank, do not click on the link, open your own browser and manually type in the link that you know and log in, if you have a message from your bank it will be there, if not then the email with the link is a fake. In the example of your friend, it is easy to text them and verify that they sent you something, or you can open a browser and manually type in the link and verify the spelling as you type, creative spelling or misspelled words in a link are a key indication that the link is fake and will take you somewhere you don’t want to go.

3) Copying data to flash drives, lost or stolen mobile devices, and use of personal equipment for business.

Flash drives and USB drives have gotten so popular that a British dry cleaner reported finding more than 9,000 of them that had been left in coat pockets and pant pockets in a single year. In a separate survey Credant Technologies found that more than 12,000 of them were left in taxi cabs in a single year. USB and Flash drives have become so popular they are the target for specific worm viruses and malware that will use them as a transport method between systems.

Some basic steps to protecting USB and Flash drives according to Symantec are:

a) Protect your data, don’t copy personal information such as social security numbers, credit card information, bank account information or other personal data to a USB flash drive.
b) Use encryption, if you must put confidential or personal information on a flash drive make sure that it is encrypted first.
c) Use secure devices, some of the newer flash drives have features such as finger print authentication, and some have built in encryption features or use some form of two factor authentication.
d) Pick a storage spot, since these are small devices make sure to designate a spot in your desk, counter, brief case that you store these devices so you can find them and they are kept secure.
e) Keep home and office separate, never use the same device to store both business and personal information lose one device you but both at risk.

Cell phone thefts are on the rise and will continue for the near future. In most cases, cell phone thieves are not after the data but after the actual phone. However, there has been a significant rise in identity theft due to stolen smart phones and the data contained on them. According to a Business Insider report 44% of smart phone thefts were due to the owner leaving them in a public place, 14% were taken from a house or a car, and 11% were due to pickpockets or street theft.

Some easy Smart Phone protections according to Ctia Everything Wireless.

a) Be aware, know your surroundings and how you are using your smart phone, do not carry it in your back pocket or loose fitting clothes.
b) Lock it, set a strong password on your smart phone and change it often.
c) Add Apps, there are apps that can track, lock, and erase personal information on your smart phone.
d) Save it, like your computer you should be backing up your smart phone and saving your pictures to a secondary media source.
e) Insure it, just makes financially getting a replacement a little easier to swallow.

Using personal devices for business or what some people call BYOD “bring your own device” to the workplace. In some cases the development of a good BYOD policy can have some benefits such as improved moral in the form that employees like to select their own device type and manufacture. There are also many challenges that come with BYOD such as ensuring that work data will not be mixed with personal data, verifying that non-employees or family members will not use the device, and determining what happens if an employee is terminated or loses the device. These are all things that must be determined prior to initiating a BYOD policy, along with very tight written policies around confidentiality, intellectual right ownership, and data destruction.

According to Computer Weekly the ICO guidance recommends for BYOD companies the following steps:

a) Determine which type of company data can be processed on personal devices.
b) How you are going to secure access and encryption of company data
c) How the corporate data should be stored on personal devices
d) How and when corporate data should be deleted from personal devices
e) How the data should be transferred from the personal devices to the company servers.

4) System misconfigurations, poor patch management, use of default usernames and passwords.

We all would like to think that hacking has simply evolved into a highly sophisticated process that is always keeping technologists on their toes. However, that is not the case and according to the Gartner Group they are suggesting that 99% of firewall breaches through 2020 are going to be due to human error and misconfiguration.

How could this be? Configuration of a firewall can be a very difficult and time consuming process, and the difference between being properly configured and misconfigured could be as simple as a missed period, or misspelling simple mistakes that open thing up to the outside world. In 2015 it was a misconfigured router that grounded 90 United Airlines flights for more than 2 hours. An AlgoSec State of Automation survey found that 20% of organizations had a security breach, 48% had an application outage, and 42% had a network outage due to errors in a manual security related processes.

According to Info Security there are some steps you can take to minimize the human error factor during security change processes:

a) A request for a change is made, one of the biggest complaints is that it takes too long to make a requested change. This is one area where taking your time is well worth it, make sure that you understand the change, make sure that you understand the risks prior to implementation.
b) Planning for the change, make sure that your team has a full understanding of your infrastructure, making a change in one area may open up holes in another.
c) Understand the risks, make sure that all potentially exposed areas are reviewed, what may seem like a simple change could affect applications, open up inward and outward traffic, or expose other parts of the network.
d) Making the change, make sure that someone who knows the firewall rules and configurations makes the changes, should it be added to the existing rule or should it be its own rule or abandon all together.
e) The change is validated, make sure that you test your change and the rules in totality, again the difference between properly configured and misconfigured could be very small.
f) Documentation, make sure that the change was clearly and completely documented.

5) Poor security policies written and automated.

Having strong written policies are key to the overall success of any security initiative and awareness training. If you do not have policies, what are you going to train on and enforce? In addition, without strong policies, you open your company up to interpretation of existing policies. Worse yet, without a policy a legal argument could be made that if you do not say we cannot do it, then we can - but then legally where does the liability for misdeeds done lay?

What are some of the things you should cover in your security awareness training policy?

a) Acceptable use policy for electronic communications
b) Confidential data policy
c) Email policy
d) Mobile device policy
e) Incident response policy
f) Network security policy
g) Password policy
h) Physical security policy
i) Wireless Network and Guest Access Policy

The power of social engineering is staggering and the risk and exposure to your corporate systems is extremely high. In a study performed by Carnegie Mellon University they found that people were willing for as little as $1 be convinced to download and install a program on their computers. The research showed that for the promise of payment of $1 that 67% of people were willing to download the program and 63% were willing to actually run the program. Security attacks are increasingly dependent on human interaction in order to achieve their goals, so accounting for the human factor within your security strategy and awareness is becoming even more critical in today’s corporate environment.

Traditional security processes and tests typically ignore the human factor all together because it is difficult to incorporate the human factor into a tool that is measuring conditions, assessment models, and legal strategies. The newer models are starting to understand that we have a human target that has to be accounted for so security planning must include more than IT, it must include Human Resources, Legal and Communication departments, and Upper Management whom all have to understand and commit to a new security model.

Where does the social engineering process start? Ernest Hemingway said it best, “When people talk, listen completely. Most people never listen”. People that are into initiating online conversations and phishing are great listeners and these conversations may come through common accepted media like Facebook, LinkedIn, Twitter, and other social media websites. It is widely understood but rarely protected that information is the most valuable commodity today, but we have become a society that wants to share and that is putting our companies and us at risk. People that have become experts in social engineering typically have skills in the area of psychology, a wide understanding of human emotion, IT skills, they are good at reading body language, and reading people response to verbal and written communications.

What are the actual risks associated with social engineering? A study by CFRIEL “Social Driven Vulnerability” which included multiple organizations with more than 12,000 employees combined using a Social Driven Vulnerability Assessment tried to gain insight into the actual level of risk they were exposed to through social engineering. The tests contained several simple common tasks such as phishing and links to condition the tests. In the phishing tests more than 34% actually followed the link, and 21% actually entered company credentials into the fake site. The scary thing is that by simply adding certain logos, and changing the wording these numbers quickly went above the 50% mark and continued to rise and the phishing attempt was socially engineered.

How do you mitigate the risks for social engineering? This is very difficult because we do not all fit into the same education level, we are all at risk to manipulation, we are all human and make human mistakes. The research still suggests that on top of the technological countermeasures that we put in place the best way to combat social engineering is through awareness and training for all employees. This awareness training has shown to improve moral and institute a culture of employees being security minded and security aware and not to be afraid of confrontation and challenging things that just don’t seem right.

It is understood it’s important, we have talked about a lot of things throughout this article, but what is the next step how do we get to the point where we have an effective Security Awareness Training Program? First, I think it is important to understand that if you think you can put this together internally, or without senior management commitment to its success through implementation and enforcement of the objectives and results, then you are already undertaking a difficult and perhaps, an impossible road. Security Awareness starts at the top this is where the success or failure is going to lie. The senior management is going to have to support the initiatives through both policy and enforcement of that policy, through budget allocation for security measures and countermeasures, which could be in the form of software, hardware, or both.

Some of the key components of a Security Awareness Training Program are:

1) Company Security Awareness: This is the formation of the security awareness team, not all organizations operate the same and the level of tolerance for security is going to vary from company to company so, it is important that you develop your own internal team that becomes the champions for the rest of the company. This team would establish corporate wide security metrics, determine appropriate training content, and interface throughout the company on security initiatives.

2) Security Awareness Content: Due to the difference in management processes, corporate goals and objectives determining the Security Awareness Content is critical to the overall training processes.

3) Security Awareness Training Checklist: Checklists are critical in assisting employees and companies through the awareness processes. The ongoing development of content, information dissemination processes, and employee participation process can easily be managed through a checklist process.

4) Identification of Threats, Vulnerabilities, and Countermeasures

5) Mobile Device Security

6) Continued Education Programs

Security awareness is the key component to combat security threats of all kinds whether is it data protection, viruses, malware, external and internal hacking, ransomware, and the emerging threats through the increase in mobile technologies. Protecting yourself and your business has to be an ongoing process and something that gets culturally engrained in your organization. It takes effort, time, commitment, and it has to be a budget item to ensure that you are funding the cause to countermeasure new threats as they emerge. If you think it won’t happen to you, you are wrong, statistically speaking it already has, you may just not know it, and you may have gotten off easy. The threats are getting smarter, harder to detect, and they are doing more damage than ever before.