One of the most critical items on the to-do list of any IT Head is the continuous monitoring of the cyber security of their installation. The effects of a security breach can be damaging to a business. The results can be fatal to the survival of a business.
The work is made more difficult by an ongoing competition between the white hat and black hat hackers. Software developers, as the white hats, include security measures in their applications, and network managers include security detection and prevention measures, including anti-malware in their network configurations. But, the black hats try to find ways to circumvent them.
Cyber Security is a multi-billion dollar industry. The costs of developing cyber security measures inflate software and hardware prices. Security conferences and conventions are regular events. Software suppliers use the security features in their offerings as a major selling point. Discussions on security matters are a significant element of social and Internet media.
The FBI has a keen interest in cyber-security because of the unlawful activities that follow a security breach. The theft of financial data leads to theft and extortion. Intellectual property theft potentially leads to threats to national security.
A study they carried out recently asks the question “Just How effective are cyber security measures”? The answer is they are essential, but most organisations are missing the point by a country mile. They estimate that the majority of cyber security exploits originate between the keyboard and the back of the office chair and that most organisations do not have adequate protection, including user training and education.
They contend that most organisations look on cyber security as an IT issue, and that is wrong. Cyber security is not confined to IT but is an organisation-wide matter. For instance, HR needs to have cybersecurity elements in their engagement and termination policies.
Because most security breaches start with users, user education is of paramount importance.
Why Do Users Need Training
Hackers target users in several ways because they are the weakest link in the chain:
Phishing and Spear Phishing
The most common entry point is a phishing email. A user receives an email looking like it came from a colleague or a trusted source like a friend or financial institution.
The email includes an invitation to click on a link which will go to a malicious website. The hacker collects user credentials from the website and other information which is either sold or used later to steal financial data or intellectual property.
Hackers usually hijack proxy mail servers to send out phishing emails in their tens or hundreds of thousands.
Spear Phishing is similar, but emails are sent only to targeted individuals.
In this scenario, the hacker calls an individual in the organisation and pretends to be from IT support. They then ask to have remote control of the desktop PC to install “an urgent update”, in reality, remote control or keylogging software. They then dial later on when it is unattended and extract information.
Users need education against falling for these and other variants, all attempts to extract user credentials of financial information.
Training and Education Fundamentals
The purpose of the training and education programme is to ensure that employees have the knowledge and skills to identify potential threats and fully understand what they must do if they suspect they have met one.
The first and the most important realisation is that information security is not just IT, but extends throughout the entire organisation. It means that all employees, from induction to exit, are potential security threats. Training and education must, therefore, start on day one as part of their induction processes.
The second realisation is that it is not just a one-off education and training exercise. Hackers evolve new attack vectors and new tricks and stunts intended to trap the unwary.
Updates and reinforcement must happen at regular intervals.
It must be carried out in a non-threatening manner, bringing home to users that vigilance is their responsibility, and the potential for disaster if a hack attack is successful.
Special attention is essential at employee take-on. The induction process must:
Provide employees with information that will help them identify potential threats;
Tell them what to do and who to contact if they identify a threat;
Make them aware of company policy about information security;
Explain the DOs and DONTs of using mobile devices;
Make them aware of exit procedures;
Let them know that IT continually monitor network usage and will proactively block any suspicious activity.
A similar procedure must be followed at their exit, either amicable and certainly if it isn’t. Its principal aim is to ensure that an employee does not take company data with them.
In between, there must be a regular presentation of updates and reinforcement of the basic principles. These can be formal presentations by internal or supplier staff, internal memos, display sheets on company noticeboards, and so-on.