Some of the best cybersecurity professionals were hired to help secure the company’s network. Significant funds have been spent to deploy some of the best security intelligence technology. But what is in place to protect the company from its users; potentially the weakest link in a company’s chain of security defense?
Users of a company’s network consist of employees, consultants, customers or vendors. If neglected in a company’s security program, they can increase its risk of exposure to security threats. Cybercriminals will target the weakest link to get valuable information that they can sell on the dark web. Information theft is one of the most expensive consequences of cybercrime. A company needs to build up its weakest link to help fight off security threats.
Phishing and Social Engineering
Cybercriminals use phishing and social engineering scams to trick employees and customers to gain personal or financial information. Social engineering manipulates the user into an action that the cybercriminal wants them to perform. People have a desire to help other people solve their problems making them the perfect victims of social engineering scams.
Phishing attacks are becoming more sophisticated. According to a report released by the Ponemon Institute sponsored by Hewlett Packard Enterprise, these attacks take an average of 22 days to resolve. The cost to resolve a cyber-attack will continue to increase over time.
Other Risky Behaviour
Users engage in other forms of risky behaviour besides clicking links in phishing emails. They can also:
- Access the Internet with an unsecured connection
- Lose their USB drive containing unencrypted confidential information and not notify the company
- Insert a found USB drive into their laptop or computer
- Leave their laptop unattended outside their workspace
- Fail to delete confidential information off of their laptop
- Carry sensitive company information on their laptop when traveling
- Use the same password for online accounts
- Give out their passwords
- Divulge sensitive information over the phone.
Protecting the Company Against Phishing and Social Engineering Scams
The best line of defense is to educate and create awareness among the users of the company’s network infrastructure. Sensitize the users of the consequences of clicking links in phishing and engineering emails. Compliment this with educating users with actions they can take to protect themselves and the company from being a victim of these scams.
Besides the training, users can be encouraged to use other security precautions, such as:
- Close the preview pane in email.
- Use a real-time anti-virus program.
- Do not open email attachments from strangers.
- Uncertain of an email attachment – contact the person who sent the email.
- Use strong passwords–a strong password is a combination of numbers, capital letters, lower-case letters and symbols.
- Demonstrate the consequences of clicking a link in a phishing email.
- Use only authorized software on your work laptop–if IT is unaware what software is installed on a user’s laptop, they cannot ensure that the software is patched. This leaves a user’s laptop vulnerable to security threats.
Training sessions do not have to be in a classroom. They could be held as a monthly lunch and learn session. Education can start as soon as a user is hired. Include it as part of their orientation.
The company can also include as part of their security program:
Limited network access– Grant users access only to the information they need to do their jobs.
Ensure to Implement a comprehensive email security solution–Have the solution in place to monitor inbound and outbound content.
Watch for suspicious activity–Review network activity against an established baseline to help identify attacks.
Use a VPN– Ensure that every remote computer that connects to the company network is secure.
Have an Incident Response Plan–Create an incident response plan for every cyber threat. The plan should detail every step that needs to take place to resolve the incident. It should have metrics to validate the effectiveness. This is a living document and will need to be updated as security threats evolve.=
Having the best technology in place will not be enough to keep cybercriminals away. It will take the consolidated effort of the users and security professionals to minimize security threats to a company.