When it comes to the prevention of cyberattacks, the human factor is often overlooked. We all know that better technology can help us to be safer from the various threats of the online world. However, too many people fail to realize that, in the end, it’s all about the user. With that in mind, we want to help you evaluate whether or not your employees are using good security in their daily practices and routines. This is very important because uninformed employees are one of the easiest ways for a hacker to compromise your entire organization.
Question #1: Are Your Employees Well-Educated About Cybersecurity?
This is the first question for a good reason: Because it is the most important question! Education is the single best way to prevent your organization from being hacked, as hackers will often take advantage of uneducated people as a weak point.
For instance, let’s say that a hacker wants to infect you with a phishing email. If they send the email to, say, the head of the IT department, it is not likely to work. Chances are, the expert will recognize the email as suspicious and neglect to open its links/attachments. That’s why the hacker probably won’t send a phishing email to that particular person. Instead, they will target someone who has a limited grasp of technology and a non-suspicious mindset.
One thing you can do is hold periodic competitions among your employees. They can be shown examples of various emails, one of which is a phishing email. Those who are able to “spot the fake” can be rewarded with special privileges of some sort, encouraging other people to cultivate the skill of spotting fakes. Phishing emails are not the only hacking attacks that involve this kind of information spoofing, so this will help on multiple levels.
Question #2: Do You Have A Good Access Control Scheme?
Intelligence agencies often operate on a “need to know” basis. That means a particular operative will only be told the things that they need to know. If that knowledge isn’t necessary for the performance of their mission, it is withheld. This is done for one very simple reason: You cannot divulge what you don’t even know in the first place.
Although you probably don’t need to lock down your organization like the CIA, you can utilize this same principle with a good access control scheme. Low-level employees do not need to have access to high-level files, at least in most cases. You should use a compartmentalized system that allows employees to access only the information that is necessary for the performance of their job.
An access control scheme should be set up with at least three levels of access, and most employees should only have access to the lowest level. The whole idea is to minimize the number of people who come into contact with sensitive information. The top-level should only be accessible to the leadership of your company, and every level should be separated with 256-bit AES encryption. The use of multiple encrypted file containers might be a good option here, as long as you don’t leave any unencrypted space on the host drives.
Question #3: Do You Have A Password Policy And Do You Enforce It Fully?
If you are educated about cybersecurity at all, you probably understand the importance of strong passwords. Passwords are even more important for encrypted systems, as they represent the only key that can unlock everything. By using the password as a pattern, the computer creates a decryption key that is never saved or stored. That’s why encryption works so well, but only if you have strong passwords. A strong password makes for a strong encryption key, which makes for a well-protected system.
All passwords should be 19-20 characters, should contain both letters and numbers (symbols are good, too), and should contain both upper and lowercase letters. Otherwise, a brute-force program can crack them easily. You can use this website to test the strength of your password if you aren’t sure. In addition, you should tell your employees to make their passwords as weird and random as possible. Some people like to invent new words for their passwords, which is great because such a password cannot be figured out through contextual analysis.
To enforce these policies, you can use the services of a penetration tester. Make sure that all relevant employees have signed waivers so that this will be legal and acceptable. Basically, you hire someone who will attempt to hack your employees using common tools. This will help you to expose and weed out those who refuse to take security seriously.
Question #4: Do You Have A BYOD Policy?
Mobile devices can often represent a major weak point in your cyber-defenses. Very few people take the time to secure their phones, and some models basically can’t be secured anyway. Not only that, but people tend to lower their guard when using their phones, as it seems like a normal and commonplace activity. For this reason, you need to be careful about which devices are allowed to access your company network. BYOD (bring your own device) policies might save some money, but they also introduce a giant mess of potential security issues.
In the end, it all comes down to two things: Education and diligence. People have to be educated enough to identify a potential threat, and they have to be diligent enough to act on that discovery. There is no way to completely eliminate the factor of human error, but there are definitely many ways in which you can reduce its impact. If you have found this article to be helpful, and if you would like to learn more, feel free to call PCH Technologies at (856) 754-7500.