Have you ever felt worried about the vulnerability of your business, but have dreaded the mountain of work involved in setting up the layers of security required to erect an unbreakable wall stopping Cyber-Attackers from reaching your co-workers?
You may be giving your co-workers less credit than they deserve. Simple Employee Awareness may be one of the greatest defences available to businesses and doesn’t require any more setting up, than getting your co-workers to spend a little time to learn just how much power over the business they have, the risks involved when they get breached, and how to identify and respond to security vulnerabilities.
How much danger does the average employee represent?
You may be surprised at just how deadly an unaware employee could be to a business. They have access to each other’s email addresses, and their emails and messages are trusted near implicitly. They have access to an incredible wealth of data, company files and records. They may have access to each other’s timetables and share sensitive data with each other without hesitation. They may have power over financial records of other employees, control over the system itself with administrator rights, or hold data on clients and customers, possibly even their financial information and livelihood.
We even have a blog talking about just how many threats employees represent to a company, that IT can have incredible difficulty controlling.
Should an employee be breached, all of this power is immediately transferred to the hands of bad actors. Suddenly, the Hacker chooses the bank account employees’ wages go. They control what software is installed on the computers in your company. They choose what emails go to your clients and so many more terrible things.
How employees can be breached
There are an incredible wealth of techniques Cyber-Attackers can use to breach accounts, but the most common methods may be the easiest to defeat using Employee awareness:
Phishing may be the most common method Cyber-Attacker use. Did you know that 92% of cyberattacks are sent via email?
Phishing is performed simply by lying about who you are. What would you do if an email came in from your company, saying that they’re a member of the IT-Team and that you’ve been selected as the sole member of your branch to participate in a focus group to test a new system change? That you need to click the below link and sign in to enter the alpha trial? Well, what if that email was from me, and I just forged a phoney email address and lied about who I was? Now, I could have your password with ease.
Viruses are a constant threat to any business. Any person with access to the internet can be in danger of being confronted with them. What’s worse, is that all of the anti-virus software, remote monitoring software and IT-Team proactive measures in the world aren’t a substitute for an oblivious employee. There are an incredible number of ways to get infected with Malware. And terribly enough, if one employee gets infected with malware, there’s a good chance it can spread to others, giving Cyber-Attackers total control over your system.
Did you know that the average Ransomware attack on a business deals £133,000 in damages? The threat of Malware can never be underestimated. Especially, as smaller businesses won’t have the defences in place to minimise the damage.
A third threat that employees may be constantly facing is Spoofed Websites. These are traps. Landmines planted around the internet. Purposely placed perils, which lie in waiting for unsuspecting employees!
Perhaps found on that rare second Google page we so rarely look at. Maybe higher than we think, posing as a safe website. Very likely, found on links placed around the internet on forums, social media posts, or sent in emails.
Seeming like helpful guides, fun images of cats, or quick links to login pages for your emails. Perhaps, for the more techy people reading this, it may take the shape of helpful programs and scripts around the internet.
4 ways you could minimise the danger of an unaware employee
Fortunately, despite the danger a lack of Employee Awareness brings, with proper measures in place, your business will not live and die by a simple goof done accidentally. Here’s a short list of ways we recommend you minimise the danger these employees represent.
Ah, MFA. We’ve talked about it to death, and we’ll continue to talk about it until every business in the whole world implements it!
MFA acts as a second password, except you don’t need to remember it! Imagine the worst-case scenario: Your IT Admin has posted their password on Facebook. Now everybody with a keyboard has unrestricted access to literally everything your company has ever done involving a computer.
But they don’t need to. See, with MFA, even if that password is given to everybody on the planet, there’s only one person who can log in with that account. The person who holds the phone with a big button you can press to double-check that the right person is logging in, and let them in.
Here, below is our most recent blogpost talking all about MFA, how it works, and exactly what it offers.
Control what they can Download
This is so important, it’s hard to believe many companies don’t bother with this. It is incredibly easy to download a dodgy program. Maybe they’ll be fooled by an email they shouldn’t, maybe they’ll be using a company workstation for personal use. The internet is filled to the brim with programs you definitely shouldn’t download.
For businesses with multiple employees equipped with company devices, this can be a massive, business destroying risk. The chance of an employee downloading malware is low. But the chances of a good number of them downloading one is far too high to be risked.
If you’d like, I can drop the curtain a bit. Let you peek at the tools IT-People use in order to manage this. The big names are Group Policy, Minimal Rights, and Whitelisting technology like Applocker.
Minimal rights, I personally think is the best tool for this. IT Teams really don’t like giving their Users any permissions other than the bare minimum. This is Infrastructure-Technician 101. If you never give users the ability to be tricked, they’ll be incapable of becoming the weak link.
Group Policy is a god-send of a tool, which lets IT Teams not only prevent people from downloading things they shouldn’t, but control so much more. User settings, device configurations, and an the list goes even further on.
Not everybody will know about Applocker. Not even some IT-Teams. It’s a specialist software, which lets only the applications the IT Team specify run. A very powerful tool as well.
Run IT-Security Drills
Drills! Everybody loves a good Drill. It’s a learning experience and something you can personally interact with. So how do people run Drills for IT-Training?
This is especially fun: Simulated Phishing Attacks. There are many other methods, but simulated attacks are by far the most entertaining. Have you ever wondered how the average Hacker operates? Usually, lazily. By forged, automated emails with dodgy links and malware hidden inside. Simulated phishing is when a trained person or service purposely targets your company with phishing attempts in order to see if it tricks anyone.
This will absolutely show you exactly where you need to focus your attention to defending.
Consider partnership with an MSP
Okay, this might sound a little like advertisement, but hear me out:
Okay, it is an advertisement, but I promise I would be recommending this, even if I wasn’t an Apprentice for an MSP.
There are a hundred ways to improve security for companies. Some intensely complicated, some easy, but no hundred blogs or lists will be a substitute for having someone with training in your corner. All these IT Tips you can read all give important advice, but we don’t know your company. There could be something glaringly obvious about how you operate, that no guide would ever consider.
Here included is a link to our free-assessment page. Even if an MSP isn’t the right solution for the business you work with, we do offer free consultations where it may help to get an IT-perspective on your business to at least point you in the right direction of how to best reinforce your cyber-security.
I’ve also thrown in one of our other blogs that explains why this is important a little better than I have.
How to train your Employees
So, now you know all about the dangers of the unaware employee, the terrible tactics of the average Hacker, and how leaving them without vital information on how to stay safe, hoping that Cyber-Defences in place will keep them defended is like leading them into traffic blindfolded, hoping that an ambulance can respond fast enough to minimise damage.
What do we do now? How do we teach your people all the wise ways of an Internet-Guru without forwarding them hours long YouTube videos they’ll skim and forget about, or leaflets they won’t read?
A handful of services which fulfil this purpose that we at JustGilbey consider for our clients are uSecure and PhinSec, with links to their pages below to show what they can offer:
Maybe a 2-minute video this week, maybe a short guide the week after. The content is surprisingly simple for just how helpful it is, and retention of its information is similarly strong.
When trying them out personally, over the past year, I’ve taken a few 1 or 2 minute courses. Here’s a small slice of what I’ve learned:
- How to make better passwords, and how Cyber-Attackers can abuse simple passwords.
- How Email-Based Cyber-Attacks work, how Hackers use them, how to spot them, and what to do if you find one.
- Security issues in Removable Media, like USB sticks, and how to own and use them safely.
- Home internet security
- The risks in Home Internet, how much danger default home internet faces, and how to secure it.
- The company-destroying potential of Social Media, and how to avoid all Social Media risks.
- Physical Security in office-working, and how to prevent unauthorized access.
- The hidden threats of Public Wi-Fi, and how they can be filled with traps and malware.
If you’d like any help training Employees, or identifying any areas in your business that may be under Cyber-Security risk, please feel free to contact us, and set up a (free!) Consultation. If you’d like to find out more on how to improve cyber-Security, here’s another related post:
– Thanks for reading, Dylan IT Apprentice
Sources & Attribution
All statistics are gathered from the following sources