Work environments are evolving, presenting new opportunities for cybercriminals to compromise company systems and networks. The shift to remote work has forced business owners to adapt, establishing technical measures to ensure remote productivity and security. Technical controls are vital to protecting company data, but all the technical solutions in the world aren’t enough to protect businesses if their employees aren’t fully trained in cybersecurity skills needed to protect themselves and one’s business today. This article reviews the many areas of awareness training required to create a strong, confident, productive, and effective Human Firewall in all your employees.
Insider Threat
When people hear the phrase ‘insider threat‘ they think of the angry employees getting back at a company that spurned them in some way. It’s critical that businesses understand that insider threats aren’t always malicious. Accidental insider threats occur when employees make unintentional mistakes that result in harm to the business. Alternatively, well-intentioned employees may perform legitimate but dangerous actions such as clicking on malicious links, not following policies and procedures or responding to phishing emails as though they are legitimate requests (buy any gift cards lately?). According to the Ponemon Institute, these accidental threats account for 62% of all insider-related incidents.
Whether they know it or not, employees pose a risk to the security of company networks and the data they hold. A study at Fortinet showed that businesses see phishing attacks (38%) as the top cause for accidental insider threats, followed by spear-phishing (21%), poor passwords (16%), and browsing to suspicious or malicious websites (7%). These activities open the door to cybercriminals in your business simply by clicking a link, downloading a file, or responding to a fake phishing request by purchasing gift cards. Educate your employees to take time to determine whether or not a request or action is safe and legitimate. These threats must be mitigated without technical controls by building a better human firewall through awareness training.
The Human Firewall
Creating a cyber-aware culture is essential. Everyone has a role to play, from executives to the shipping department. If employees see something, they should say something. However, employees need proper training to understand when and why something may be suspicious and so that they know to whom they should report such things. Employees must understand how they can contribute to effective cybersecurity strategies, rather than just relying on IT personnel to fix all issues.
Employee Awareness Training
Considering employees can be the best line of defense, it is crucial that SMBs protect their organizations by including employee education and awareness training as a key component of their overall cybersecurity strategy. By embracing this technique, SMBs can ensure the workforce is prepared to face common and emerging threats. Training staff on spotting and avoiding phishing attacks, social engineering, ransomware, two-factor authentication requirements, Wi-Fi insecurities, and other threats greatly reduces the chances of becoming victims to hackers. Pick a training system that is open, so you can pivot quickly and train your team up on emerging threats such as phishing attacks claiming you must complete a contact tracing form as was common in 2020 due to COVID19.
Setting Policies
Businesses should also take a look at their governance policies. Policies are a great way to keep staff informed and accountable to company expectations on behaviors and technology usage. CyberHoot recommends adopting the following four foundational governance policies if you haven’t any defined just yet (don’t feel bad, many companies have not defined their cybersecurity governance policies):
- a password policy
- an acceptable use policy
- an information handling policy, and
- a written information security policy (WISP)
Together, these four governing policies provide a sound foundation upon which to mature your cybersecurity program. Training and governance are key to protecting your company. Train employees on attacks and on the policies that govern their behaviors. However, most cybersecurity professionals will tell you, you must back these measures up with strong technical protections for when your employees forget their training and governance and click that phishing attack email.
Technical Counter-Measures
While humans can be one of the best firewalls out there, they are fallible and they make mistakes. In such cases, technical measures can be a powerful safeguard to assist users and businesses in staying secure and compromise-free. Two of the most significant and effective technical protections available today include Two-Factor Authentication and Password Managers. Both provide strong technical countermeasures to the attacks we all face today.
Two-Factor Authentication
First, a brief primer. Two-Factor Authentication is the combination of two of three of the following identification factors:
- Something you know – Most often a password for your account.
- Something you have – Such as a cell phone with a temporary authentication code.
- Something you are – Such as your fingerprint or facial recognition.
Using two of these three identification factors is the best way to protect your critical accounts. Hackers count on your employees re-using their passwords. They visit the fark web forums to find all the exposed passwords for employees in your “Internet Domain” and then begin methodically attempting to log into accounts (VPN, O365, SaaS solutions) not protected by anything more than a username and password. The moment they see all these online services protected by 2FA they move on to easier targets (in most cases) because they know they may not be able to penetrate such protections.
Unfortunately, many applications today do not yet integrate with two-factor authentication and are at the mercy of employee password hygiene. The fastest way to educate and improve your overall password hygiene at your business is to adopt a password manager. These tools generate secure random passwords, take the guesswork out of logging into online applications, even improve efficiency by launching the websites and automatically logging people in once they have authenticated using 2FA into the password manager.
Password Managers
Cybersecurity professionals tell you to use strong unique and long (14 or more characters in length) passwords for every account you own. The average person can only remember 3 to 4 strong, long unique passwords. Diligent and creative folks, using pneumonic memorization techniques, can learn 10 to 15 unique strong and long passphrases. However, according to a study of 20,000 Dashlane users, the average person today has more than 90 online accounts. The only way to accommodate this proliferation of online accounts is to adopt and learn one of the many free (for personal use) password managers. Many password manager options exist on the market today including LastPass, 1Password, and Dashlane. More important than picking the right one for you, is using one period.
Password managers automatically synchronize all your account data between devices (smartphones, laptops, and tablets). A web browser plugin monitors your login activity and prompts you to save your credentials whenever you authenticate into a new website. Your username and password for the Domain (or URL such as gmail.com) are stored in an encrypted password vault.
If you ever accidentally click on a phishing link and land on a webpage impersonating one of your password manager accounts, it will refuse to enter your credentials tipping you off that you’ve been duped! All password managers include a random password generator you can use to create new, strong, and unique passwords. Some managers will alert you to weak passwords or reused passwords even prompting you to change them to automate fixing some of the password hygiene issues you’re facing. Doing so will make you and your staff more secure, effective, confident, and efficient.
Moving Forward: Concluding Thoughts
Cybersecurity is every employee’s job. Non-IT staff must step up and help reduce business risks, by learning what they need to know about cybersecurity best practices. Cybersecurity awareness training, policy governance, and proper technical tools will give your business a leg up on the competition and hackers by providing staff a pathway to cybersecurity success in becoming stronger human firewalls.