2015 saw an uptick in some common malware attacks including ransomware and phishing. The most common security hole in 2015 was rogue or disgruntled employees, so companies were forced to defend against internal as well as external threats. As cyber threats change, corporations are forced to be more resilient against the changing face of security.
Understand Common Points of Entry
Before you can protect your network, you must understand common points of entry. You can have the perfect router and firewall setup, but the right phishing email or keylogger can bypass all of these protection methods.
The most common way for hackers to gain access to your network is from mobile devices, especially laptops and smartphones. Users set up laptops on open, public Wi-Fi access points and leave private data open to eavesdroppers. “Shoulder surfing” gives attackers sight of the laptop’s screen, which can sometimes provide them with valuable information. Social engineering also works when hackers are able to obtain credentials from traveling employees.
Malware attached to email can be sent to key management in a corporation. Just imagine your finance director or HR manager running an executable on their system that contains private data such as employee social security information. Numerous amounts of data can be breached when the right employee runs malware on their system.
Understand Your Attackers
Most people think of hackers as criminals behind a screen sitting in a dark room typing away until they gain access to a system. In fact, a corporation is more likely to have a data breach from a disgruntled employee. These former staff members steal data before they leave, send information to competitors, and even cause damage to existing systems.
When you terminate an employee or they resign, disabling access should be the top priority. Some employees do damage before they leave, so it’s a difficult aspect of security. The best way to handle rogue employees is to avoid privilege creep. Privilege creep occurs when users aggregate permissions as they change positions within the company. Only give permissions when they are needed. Employees should only have access to systems that are required for them to perform their daily job tasks.
Be Personal with Employee Security Training
Employee training is a must to avoid incidents where hackers gain access from executables in email or sending malware to internal employees. You can have the best antivirus on the market, but hackers can still gain access when the right employee falls victim to a social engineering attack.
Be personal with training by educating employees in small groups or even one-on-one. A personal touch in security awareness training elicits interest from coworkers instead of presenting information in presentations. Security awareness training can also ensure other employees are aware of what attacks from rogue employees look like.
You can’t protect your network 100%, but you can greatly reduce the risk that your security is breached. Keep employees educated of the risk, ensure the network is secured at all potential access points, and understand who is a threat to your network.