Effective security means strong collaboration between executives, security personnel, managers and end users. Even if you have your CISSP, CCNA Security, or are working on your Ethical Hacker, these certs (and all the fancy measures you’ve taken on the back end) can mean nothing to poorly educated end users.
All good intentions, policies, and procedures will be for naught when that one end user gets talked into sharing their login details over the phone. Or perhaps the attacker didn’t need to socially engineer your end user because their passwords are all 12345. You know we’re not kidding.
Whether you’re in the midst of a critical buyout or need the best security to protect sensitive data, here are four ways your end users can help you out.
- Be Suspicious of Any Outside Email
It sounds a bit like paranoia, but a common method for compromising a system is through email. Attackers send malicious attachments disguised as legitimate executables, or they convince the recipient to visit a phishing website.
Users should be educated on phishing and malicious attachments. Before your end users respond to an email, they should ask the following questions:
- Does the attachment contain a macro?
- Is the attachment an executable?
- Are the websites linked in the email recognized?
- Is the email sender asking for private information?
If the answer is “yes” to any of these questions, then they should ask IT before responding to the email.
In fact, you can refer your end users to this infographic we designed to help you educate them.
- Choose Good Passwords
You could ask anyone “What is a good password?”
The responses you’ll get will vary, but what any expert will tell you is that “12345” is not a good password. Shockingly, this is one of the most commonly used passwords.
Technically, you could set an unimaginably stringent password policy that resets every week, but then you can imagine how many sticky notes would be underneath keyboards.
You can’t force users to create good passwords across every platform, but you can educate them about strong password standards, and the methods hackers use to obtain access though poor passwords. Or perhaps you should consider a service like LastPass.
Bonus: Windows 10 has several nifty features to help you with data loss prevention.
- Understand Social Engineering
Social engineering is so much faster and easier than hacking away at a secure system.
Personal social media accounts can be used, or the attacker can pretend to be an employee and scam a victim into giving up local credentials. So, it’s a problem you’ll need to address.
Your users should know that IT folks will never call them asking for credentials, private data should be kept off of social media, and avoid any emails that ask for company-specific information.
Understanding social engineering is another education issue. The more education you receive about the latest threats, the more information you can pass along to your end users, and the fewer security incidents you’ll encounter. So, stay up to date, or start with the Security+ certification and work your way up from there.
- Use Proper Storage and Transmission Practices for PII
You probably have the right storage security on your network, but users should never store personal identifiable information (PII) on any insecure local storage, or transmit it using insecure mediums such as email or instant messaging.
It’s just so much easier to quickly send PII in a chat than appropriately encrypted channels. We are very thankful for firewalls for this reason. Set up policies to recognize PII and spit it back. You’ll be glad you did.
Finally, sometimes you’re not dealing with packets. You’re dealing with something much more sinister, USB devices. At the time of posting, you can put 256GB on your keychain for $50.
That’s a ton of data floating around on a set of car keys.
What are you supposed to do? Some administrators disable USB devices, so users aren’t able to store any PII on removable storage. This still doesn’t stop users from storing PII on a laptop hard drive that can then be stolen.
It comes back to educating end users about security over convenience. You’ll need to clearly communicate the risks they’re taking, and maybe even consider putting teeth into your regulations.
User Education is Key
The best way you can secure your applications and information is to educate your users. Once they know how to identify red flags, users are less likely to fall for many of the phishing and social engineering attacks that are commonly used to steal data.
Boost your IT skill set with our network security training.
Not a subscriber? Start your free week today!