The weakest link in your security program is always going to be your employees. Most people are too trusting, too gullible, and too uninformed when it comes to computer and network security. A hacker does not need great skill or fancy software tools if a simple social engineering exploit such as a phone call will get them the user credentials of one of your employees.
The best solution, and possibly the only solution, is to provide training to your employees so they can learn what the threats are, what an exploit might look like, and how to avoid them. Coupled with the security and privacy policies you developed earlier in this process, you have a reasonably effective way to keep your employees informed about threats to your business and their employment.
Be sure to inform them about security basics such as:
- Let the security products run so that threats can be found and removed early. I’ve watched employees cancel a scheduled security scan because it “Makes my computer slow.” Encourage them to play through, or schedule scans for before or after hours.
- Only install approved software. Downloads often contain hidden malware and Trojan horse programs.
- Create long and complex passwords. Avoid using the same password everywhere. Do not send your password in an email, or give it to someone over the phone, even if they claim to be from “tech support.”
- Email – when in doubt delete it. Never click on a link in an email unless you have confirmed the source of the email and the destination of the link. You can submit a suspicious link to VirusTotal to confirm if it is valid or dangerous.
- Make sure your data is being backed up regularly, or stored on a central server that is being backed up regularly.
- If something seems suspicious or questionable, speak up! Most of the time people are clever enough to be concerned, but they go ahead because they don’t want to appear computer illiterate. Encourage a critical, questioning, or even suspicious mindset around computer security issues.
And again, please check out StaySafeOnline.org for more information and helpful links.
ShareOCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com