It’s not a question of if you will suffer a cyber attack, it’s more a question of when. Experts say that the only fully secure systems are those that have not been hit yet. You may have made all the preparations, implemented malware protection software and firewall appliances, configured your network securely, and carried out cyber security training for IT staff and users, but you will still be hit.
The biggest potential for a cyber attack is not an external attack by cyber thieves or hackers, but from someone inside your organisation forgetting their responsibilities and breaking your. It doesn’t take long for someone to forget their Cyber security training or to deliberately sidestep your cyber security practices in a crisis.
There is of course, the potential for a deliberate internal attack, perhaps just plain malicious from a disgruntled employee, or an attempt to steal information. All the policies and training in the world will not stop those.
The front line in your cyber security is not your malware software, firewalls and network configuration stopping external attacks, but in stopping your users making them irrelevant by bringing the malware inside your firewall and bypassing all your network security. A bit like having great security on your home, but leaving the back door unlocked.
Do users need cyber security training? Most certainly, but it’s not just training users in what to do to prevent attacks and what to do if they recognise one, it is educating users as to how and why cyber attacks occur and why cyber security practices are necessary to protect the organisation and their jobs in it.
They need to be able to recognise malware, or when their computer is under attack. They need to know why they must not bring software or media from outside the network into the network environment. They need to know what to do if they suspect something is not right.
The first step is awareness. Malware can take many forms. Users need an awareness of what malware is and the damage it can cause, even up to the point of threatening the survival of your business. In these days of ransomware attacks on small as well as large businesses, it is a potential threat that cannot be ignored. If your organisation has confidential or proprietary information, industrial espionage is another potential business killing threat. This is particularly important for service providers hosting company information on their own equipment.
A common way for malware to find its way into an organisation is by users bringing it into the network environment. It can come in on personal smart devices, flash drives, DVD’s and increasingly these days on smartphones. It can come over Bluetooth or wireless. Many users use their desktop PCs to recharge their smart devices. The phrase “It’ll be ok, I’ve got anti-virus on my machine at home” has been the gateway for many attacks.
Even if you have automatic scanning of all attached devices, and you should, some threats will be able to creep through. Many organisations prevent users connecting personal equipment to their PCs by disabling the USB ports and DVD drives to counter this threat. Remember also to disable any Bluetooth and wireless interfaces if necessary.
One threat that is difficult to counter is that of wireless access. Many organisations have a wireless environment that supports access from smart devices anywhere in range of the WiFi network. Some don’t allow WiFi access inside their firewall, some allow it for recognised and authorised devices only. WiFi access management should be part of your cyber defence strategy.
The bottom line is user education and training is an essential part of your cyber defence strategy.
Users must understand why they must not copy stuff from their smart device to their desktop PC. Why they must not email pictures from their smart device to all their buddies, watch or copy bootleg copies of the latest movies on their PC, and generally not treat the workplace network as their personal source of games, music and movies. It is also good practice to prevent users installing software, and to educate them on why they must not.
It is not just a once-off exercise either. It must be part of HR’s induction programme for new employees, and it must be reinforced regularly, perhaps with refresher courses and update information. The IT function must monitor and control equipment and Internet use to prevent abuse.
Despite all the education and training, policies and practices, malware will attack your system. On the assumption, and that is perhaps a dangerous thing, that your defences are well set-up to counter external attacks, the inevitable malware attack will come from an internal source. User education, training and reinforcement is an essential part of the front-line defences against malware and cyber attack.