It’s week three of National Cyber Security Awareness month. This week the theme is “It’s Everyone’s Job to Ensure Online Safety at Work”. You can’t leave the job to someone else, every employee must take responsibility for cybersecurity.
Your company may have a Chief Information Security Officer (CISO), penetration testing team, security operations center and all the cutting-edge tools and controls available. You’re safe right? Wrong! The fact is that the best tools available will only protect you from what they can detect. That’s not to say you shouldn’t have the right tools and security controls in place to protect you.
You are the Weakest Link
Computer users visit websites, receive email, download files, and perform other functions that interact with entities external to your company. Click on the wrong link or open the wrong file and you could end up installing a back door into your computer, network and your company.
Most of the people in your company probably take calls and interact with outside visitors. Attackers wont’s stop at technical means to infiltrate your company, they will also resort to old school dirty tricks. Tricks including phone calls and in person visits to get someone in your company to give them access or divulge seemingly innocent information. Anyone in the company can be duped into doing what the attacker asks and will usually do so just to be helpful. Attackers will seek out areas of your business such as HR, IT, Operations, or Accounting. Another old trick that can be used is “dumpster diving” where attackers will comb through your trash looking for valuable information that an employee or contractor thought was trash. Some attackers can do lots of damage with just a company directory.
Employees should approach any situation with a sense of healthy paranoia. Keep company policies about how visitors are allowed in the building, if such policies exist. If those kinds of policies don’t exist, work to define them.
Have a Little Class
Information in your company, whether in digital or analog form, should be classified in one of several categories. The four categories that we recommend are:
- Private: This includes personally identifiable information such as credit card info, social security number, date of birth, etc.
- Company Restricted: Data that is restricted to a subset of employees like Accounting or Human Resources.
- Company Confidential: Data that can be accessed by all employees but is not for public consumption such as a company directory, or policies and procedures.
- Public: Any information available to the public. This includes information that can be found in public records or your website.
With your data marked with a classification, any trained employee will then know if a dataset can be shared and who it may be shared with.
Once you have your categories, you also need to determine several other factors about each set of data:
- Who should have access?
- How is the data secured?
- How long should the data be retained?
- How is data to be disposed of if it is past retention?
- Does the data need to be encrypted? At rest/in transit?
- What is appropriate use of the data?
Without insightful instruction, your office can be a minefield of malware, susceptible to social engineering and riddled with ransomware. With the right Security Awareness Training, your employees stand a chance against the constant bombardment of attacks that hit your business every day.
Most computer users feel that they can’t be fooled, but unless you are able to test them and track their progress, you just won’t know. Please contact us if you are interested in hearing more about Security Awareness Training.
Just as an untrained user can unintentionally bring your company to a standstill, trained users can be your biggest asset to your company cyber safety.