By James Lee – Information Security Analyst: Team Lead – Intrinium
Chances are, you or someone you know has fallen victim to some Information Security attack. Whether it was someone attempting to brute force their way into one of your accounts, or an email you received that looked legitimate but ended up leading to Ransomware, or perhaps you clicked on the wrong link while perusing Facebook and found yourself being redirected to a suspicious website. These situations are becoming all too common as so many facets of our lives are being pushed online and to the cloud. It is imperative that everyone has a basic understanding of Information Security and how the business or individual could be impacted if they do not practice due diligence when engaging in online activity.
Because of this trend, Basic Security Awareness Training is imperative and will substantially reduce the risk of potential security incidents both at home and in the workplace. The most common successful attacks rely on the target user to take some action (such as clicking on a malicious link within an email). Therefore, many recent compromises could have been avoided with an appropriate security awareness training program, instructing users on what they should be looking for. These instructions should contain but are not limited to maintaining a strong password, properly handling email messages and phone calls, physical security, and even managing your Social Media presence.
This subject is often overlooked as physical security may seem like common sense, but you would be amazed how many people know what they can do protect themselves but do not proactively do so. Cybercriminals are not the only ones employees need to look out for. Physical security also plays a role in keeping sensitive information protected. For example, leaving a mobile device or computer unattended is a common mistake most people end up committing unintentionally. If an intruder was able to steal an employee’s phone or log in to their computer, all the data and information that’s accessible via that device is put at substantial risk. These are just a couple of reasons why it’s important to make physical security one of your priorities.
Here are some best practices to help you increase your physical security in and out of the office:
Remember to lock your device before leaving your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or the Power key) at the same time.
Store documents in a secured, locked desk or cabinet, employees should do their best to avoid having sensitive information floating around their desk.
Properly discard the information, when it comes time to get rid of those documents or files, be sure to shred and discard them properly.
Authentication and Password Maintenance
Did you know that 81% of company data breaches are due to weak passwords? Attackers can brute-force (rapidly attempting to log in with multiple common usernames/passwords) using a variety of methods to break into a user’s account when the password is insufficient. Once the perpetrator is logged in, they have access to a variety of confidential items and could cause significant harm to your account and/or network.
Due to this, security awareness programs should include informing users of this type of attack so they can take appropriate action. Actions such as setting a strong password (8-character minimum and include letters, numbers, and special characters). In addition to this, it’s a good idea to use 2-factor authentication wherever it is available. 2-factor authentication is a method that will only let you logon to your account if you have two pieces of evidence (such as your password and your phone) to gain access to the system. This type of authentication is becoming the norm and is widely used for a number of services.
Handling Phone Calls
In addition to email phishing, phone phishing is also very concerning as it involves an attacker attempting to obtain sensitive information through a phone call. Attackers can spoof phone numbers, making it seem as if they are calling from a trusted source and simply ask for information that, in the wrong hands, could be used to gain access to a user’s account and potentially steal information. Similar to email phishing, the best defense against phone phishing is to educate employees on how to identify fraudulent calls. Employees should be educated on how to authenticate a caller and validate them, check the caller ID, and whether they were informed of the incident internally beforehand. It’s important to remember that phone numbers can be spoofed (The caller can make it look like they are calling from any phone number of their choosing) so you should never rely on only the caller ID number. This education is absolutely necessary and will substantially reduce the risk for yourself or your company and is why the concept should be covered in all security awareness programs.