Security is only as strong as its weakest link, and as we have seen, that includes your employees.
Faulting workers for behavior they’ve become accustomed to in their private lives is tricky. It can reinforce ITs added challenge of protecting company assets by having to address employees’ daily habits, some of which can jeopardize the organization’s security posture.
First, employees need education – for example, those who regularly use public Wi-Fi, Bluetooth, or USB drives in their personal lives need to understand why they’re not safe to use for work. Then, an organization needs to foster a culture of communication – for example, if something does go wrong, employees also need to feel comfortable enough to report problems to IT before extensive damage is done.
Lost or stolen devices
Employees know that if they lose a smartphone or laptop, they’re supposed to notify IT right away. However, the embarrassment and often scolding tone used in training can make them reluctant to immediately report lost or stolen devices. If they lose a device on a Friday, they may decide to wait until Monday to see if the item turns up. When it doesn’t, then they’ll report it – however, those first 48 hours could give cyberattackers a significant time advantage in working to penetrate the company’s network and/or exfiltrate sensitive data.
When conducting security trainings, the curriculum should include detail and context for how reporting a lost or stolen device right away enables IT to lock it down before information can be stolen. Managers appreciate honesty – they would rather receive a false alarm than take the risk of having a device compromised. If the device is later found, it can always be reinstated. A lost device that has to be replaced is a small matter, but a lost device that results in a breach because it wasn’t reported in a timely manner results in severe consequences for both the employee and for the company.
Wi-Fi and Bluetooth problems
Employees who have to pay for data plans have gotten in the habit of searching for open Wi-Fi connections everywhere they go. Sure they’ve heard that public Wi-Fi is unsafe, but if nothing bad has ever happened to them while using one, they’ll often grow lax and ignore the warnings.
It’s important to explain how a Wi-Fi connection makes it easy for a hacker to station himself between your employee’s device and the hotspot, accessing every bit of information they send over the internet—including all their personal information, as well as security credentials for your business network. There are even online tutorials with millions of views to show hackers just how to do it. Once cybercriminals have the employee’s information – business or personal – they can easily log in and impersonate them anytime they want.
Through a public Wi-Fi, hackers can also send pop-up messages offering software upgrades where if clicked, they install malware and infect the device.
Using Bluetooth isn’t safe, either. Last Fall, thieves took advantage of security flaws to hack into connections and steal business data from corporate networks. Once a device is infected, it easily spreads malware to other nearby devices, including office computers. Although most devices have been patched for this particular problem, hackers tend to be one step ahead of device makers, meaning there could be other nasty surprises in store for the future.
Use a Virtual Private Network
To avoid security problems associated with Wifi, Bluetooth, and other unsafe connections, have your employees use a virtual private network (VPN) instead. A VPN is a private connection that encrypts all traffic, protecting your company’s data.
However, don’t assume your VPN is foolproof. The networks are tricky to set up and using an incorrect protocol can lead to security flaws. Be sure to thoroughly vet each provider, and never go with a free solution. One study found that 38 percent of free Android VPNs available contained malware.
The main thing to remember is that while VPNs are used to encrypt communication between endpoints, they won’t protect you against rogue applications or websites that may infect you with malware. But when it’s combined with other security measures, using a trustworthy VPN is a great idea.
Avoid USB drives
What about USB drives? Yes, they come in handy when you’re in a hurry and want to take information with you, but the vast majority available are not encrypted, making it easy for hackers to reprogram them with malware. Surprisingly, infected USB drives are quite common.
Because they’re so small, thumb drives are also easy to lose. A recent study found that of the 90 percent of employees who use USB drives, 80 percent of them are not using encrypted USB drives. To make matters worse, that same study revealed that 87 percent of the employees surveyed admitted they had lost a thumb drive used for work and had not reported it.
What happens when your employees find a lost thumb drive? They should just throw it away, but people can be curious. When researchers planted nearly 300 drives in an experiment, 48 percent of people picked them up and plugged them in.
Training employees to use their devices responsibly and report loss or theft is a crucial part of your security processes. In company training sessions, work to engage employees and contextualize security policies by getting them involved with real life examples, instead of potentially coming off as admonishing workers and providing canned information and dry content. Make it relatable and show them how they are the most important part of the solution, and they’ll help make your organization a safer place to work.
Author: Robert MacDonald, Director, Solution Strategy – Security, Micro Focus
The Cloud Consultancy provision, migrate and support Office 365; Office 365 Backup, Recovery and Business Continuity; Office 365 security solutions to protect against Phishing, Viruses and Malware; Design and Build Great Websites;Document Management solution for small business; Interim IT Director services