Cyber Security: Your Network Security is Only as Strong as Your Weakest Employee

There isn’t a day that goes by without another story of hacking or lost data in the news.  From political campaigns to corporations to breaches at the highest levels of government…no organization is immune to the risk. 

Millions of dollars are spent protecting sensitive data, but ultimately all those dollars are wasted if employees aren’t educated on cybersecurity guidelines.  Hackers know that the easiest way into a system is through naïve employees without security knowledge.  One simple mistake by one single worker could be devastating.  

The best practice for any organization is to make basic cybersecurity guidelines a mandatory part of training.  Ensuring that employees are educated and motivated to follow these guidelines is possibly the most important factor in preventing breaches. 

Passwords

Any training about cybersecurity must start with passwords.  80% of hacking attacks are the result of stolen or weak and easy-to-guess passwords.  Unbelievably, some of the most commonly used passwords every year include, “password” and “12345”.  Many people are careless or ignorant about passwords.  They think that a hack will never happen to them or they simply don’t understand how hacking works.  By hacking one employee, cybercriminals can infiltrate an entire company’s system and the result can be catastrophic. 

All passwords at work should be at least 12 characters long and contain a number and a symbol.

Passwords should be easy to remember but not obvious.   In other words, they shouldn’t be children’s names, pet’s names, or birthdays.  Avoid dictionary words or common misspellings of dictionary words.  Hackers use “brute” force attacks that use all the words in the dictionary.

It’s better to use a phrase that is uncommon but that means something to you so you can remember it.  Don’t use common phrases or popular song lyrics.  A phrase like “IreallyLove2$ailBoats” is a good example of a secure but easy to remember password.  It’s not a common phrase, but it’s memorable to the person who created it.  This password would be virtually impossible to hack.  It’s 21 characters long and it combines multiple words, capital and lower-case letters, a number, and a character. 

Work passwords should be different than personal passwords and different passwords should be used for each important log in like e-mail, network, and computer.  If passwords need to be written down, they should be kept separately from your devices.

Two Factor Authentication

Two-factor authentications provide an extra layer of security by requiring users to provide another form of ID with their password.  One of the most common two-factor authentications is the use of secret questions.  In addition to a password, the user must answer 1 or more secret questions. 

When creating secret questions, it is far better to use questions like the name of your favorite teacher than information that may be publicly available like the name of the city where you were born.

Another common and even more secure 2-factor authentication is when a password is used in combination with a code sent via text message to the legitimate user’s cell phone. To access the account both the password and the code sent in the text message need to be entered.  A hacker may gain access to a password, but without access to the user’s cell phone as well, he or she would be unable to gain access to the account.

When employees receive the second part of a two-factor authentication that they did not initiate, they should immediately report the breach to the appropriate security person to investigate.  Even though the hacker was unsuccessful, other important information may have been compromised and it’s critical to find out how the password was hacked so that steps can be taken to plug the breach.

URLs

When http is at the beginning of a URL it is unencrypted and a hacker could be waiting to capture your information as you input it.  When https is at the beginning, the site is encrypted and it is far more difficult for criminals to steal your data. 

If you are being asked to enter personal or business information on a site that begins with http, it’s a strong signal that a cybercriminal is attempting to capture your information.

Be Social Media Aware

Would the password “IreallyLove2$ailboats” be as secure if the user has a public social media profile with a lot of pictures and posts about sailing boats?

Would your secret questions be secure if you are using the city where you were born or your high school mascot and that same information is available on your social media pages?

The answer to both is “definitely not!”  There are plenty of easy to remember passwords that are secure, but they must not contain publicly available information or their complexity has lost its power.

Additionally, employees must be cautious about what they disclose via social media pertaining to their jobs or their employer.  Often, confidential data or sensitive information is released inadvertently on social media profiles.  The best policy is to keep all business information off personal social media pages.

Sensitive Personal or Confidential Business Information

Hackers are constantly on the prowl for information that will allow them to access your network.  Never give any personal or business information when receiving an unsolicited phone call, text message, instant message, or email.  When you receive a call, email, or any other information from your IT department, make sure the call is in fact from IT.  Hackers will pretend to be from the IT department to trick people into giving up sensitive information.  If you receive a suspicious call or email, report it to security or the IT department immediately.

In many organizations, disclosing confidential information or putting intellectual property at risk can result in employment termination…. even if the disclosure was accidental.  Every employee should be familiar with their organization’s acceptable use policy.  No one outside of your organization should ever have access to confidential information or intellectual property without authorization.  Vigilance is the duty of everyone in the workplace.  

Public Network Connections

When away from the office, employees are especially vulnerable to cyber threats through unsecured network connections. 

Public wi-fi networks are a favorite of cybercriminals.  The thieves will set up a WIFI network in a public area masked as a legitimate public WIFI network.  Once an unsuspecting user is in the network, the thieves have access to their computer and can record every keystroke.  People who use these bogus connections risk the theft of all their data and passwords. 

Another favorite of cyber hackers is the “man in the middle” attack.  In this scenario, the hacker takes advantage of a flaw in the network security and intercepts your data as it is sent on the network.

Employees who travel are especially vulnerable, but anyone who accesses the networks available in public areas or in hotels, coffee shops or other businesses is at risk.  It’s much safer to access the web via a 3G or 4G cellular network with a complex password, but the safest method of all is using a VPN which encrypts all data.

VPNs or Virtual Private networks increase security by masking the initial IP address.   Users receive an IP address from the VPN that could be from any location.  A person using a VPN could appear to be in Minneapolis by the IP address, but in fact be in Los Angeles.

Additionally, VPNs encrypt all online data transfers making them very difficult to intercept.  Use of a VPN for work use outside of a work facility is an essential security protocol to protect against hackers.

Home Network Connections

Home networks are also a dangerous security risk because they are often not set-up with the same level of security as business networks.  However, following some simple protocols is easy and doesn’t take more than a few minutes.

Protect access to your router with strong, unique passwords that are at least 12 characters in length with capital letters, numbers, and symbols.  Never use the default password that came with the device, always create your own.

Always use WP2 encryption with AES.  WP2 is the best encryption available and AES is the protocol used by the Department of Defense to encrypt sensitive data.  These encryption options are easy to find on your computer’s security settings.

Create a guest network for use by your friends, family, and any other visitors you may have.  This is also easy to do and well worth the time.  You will never have to worry about your guests accidentally giving a cybercriminal your password.

Email

Email is one of the most dangerous security risks employees face on daily basis.  Without following stringent security measures, one email could cost millions.

Email passwords are just like other passwords.  They must be complex and they must be at least 12 characters in length.  Unfortunately, this guideline is often ignored.  Workers fall into the trap of using a short obvious password for convenience.  Using a few extra keystrokes to secure a password is far less inconvenient than a ransomware attack or data theft.

E-mail must be carefully filtered.  The best rule of thumb is when in doubt delete.  Never click on an attachment if there are doubts about its origin or contents.  This rule should be applied to web links sent via email as well.  Many websites are designed to attack your computer with malware or viruses and just clicking on a link puts your computer and network in jeopardy.

Even emails from people you know could be dangerous.  Often criminals use hacked email accounts to hack the accounts of the victim’s friends, customers, or colleagues.   Additionally, emails can be made to look like they came from a friend or colleague when, in fact, they came from a completely different email address.

If an email from a friend, customer or colleague seems suspicious show the email to your IT team and place a call to the sender to verify.  Often, the sender does not realize they have been hacked until it is too late.

Security Updates

Hackers are constantly finding new ways to infiltrate networks which makes regular security updates critical.  Patches to security vulnerabilities are made available as soon as the issue has been resolved and not installing them is like leaving your front door wide open.  One these vulnerabilities are public knowledge, hackers are counting on individuals and organizations to be lazy and ignorant and they make them pay dearly for it. 

In early 2017, a virus that installed ransomware on computers throughout the world used a known vulnerability that could have been fixed with a simple security update.  Companies that failed to act quickly paid dearly for it.

Access and Security for Devices

Never grant access to devices used for work purposes, such as computers, tablets, and phones, to friends and family.  This includes personal devices used for work business.  Even if you give access to someone you trust, it is a security risk.  This user could (without criminal intent) accidentally download malware or delete important files.

If you must allow friends and family to use your computer, create a guest account.  Guest accounts are partitioned from the main administrator account and are designed to protect computers and keep their information safe. 

Guest accounts can’t see files, change settings, or install software which greatly reduces the negative effects of malware.  Your guests will be able to surf the web and use basic applications such as word but will be unable to do much damage to your computer.

USB Drives

USB drives are one of the easiest ways for a cyber-criminal to infect your machine.  Never allow an unknown USB drive to be plugged into your computer or any other device.

Cybercriminals have been known to attack a business by inserting a USB into one of its computers.  This can be easier than most people think.  Most offices are full of activity.  Vendors, salespeople, consultants, customers, contractors, and many other persons who are not employees move through an office every day.

All it takes is one cybercriminal inserting a USB drive into one computer for only a minute to compromise an entire system.

By locking your computer every time you leave it and by setting it to lock after a short period of non-activity, you drastically reduce the opportunity for a USB to attack your device.

File Sharing and Data Storage

Backing up critical data is an important aspect of cybersecurity, however, it’s also a potential security risk if it’s not done properly.  Before backing up files online be sure to get approval from your IT department.  Not all file storage sites have the same safety and security.  Be sure to get approval for any cloud data storage.

The same is true for file sharing.  While file sharing sites are a convenient way to share files with customers, vendors, and co-workers, not all of these sites are created equal.  Make sure that your employer has approved the file transfer site before sending.

Physical Device Security

Most devices are portable these days and this creates an added security risk.  When you are in a public area never turn your back to a device or leave it unattended.  If possible, don’t leave your device in a vehicle, but if you have no choice, place the device away from view.

Even at home device security is critical.  Never leave your device out if you have visitors that you don’t know well.  When traveling, devices should remain with you or be secured in a safe in your hotel room.

In Conclusion

95% of cybersecurity breaches occur because of human error.  Which means the safety and security of a company’s network is almost completely in the hands of its employees.  Cybercriminals understand that is much easier to gain access from an unsuspecting worker than it is to breach a technologically advanced firewall.  Educating employees on cybersecurity is quite possibly the most important measure any organization can implement and workplaces that take this training seriously are in a far better position to avoid catastrophic malware attacks or confidential customer and corporate data losses. 

TrainingABC has a brand new 2018 produced CyberSecurity training course for all employees - check it out here.