Antivirus solutions? Implemented!
Perimeter defenses? Working!
Multi-factor authentication? Enabled!
Employee awareness program and Phishing attack training? Umm, is it really needed?
THE CHALLENGE
Absolutely! Up to 70–80% of the cost attributed to cyber attacks every year, is actually the result of a human error. We focus on building bigger, stronger walls of defense — but, forget to train our “guardians” about how to defend those “walls”. Behavioral / human aspects of cybersecurity, such as employee awareness and training programs, act as the most crucial line of defense to enhance your organization’s security posture.
In this blog, we’re going to discourse a few measures which organizations can incorporate to resolve the employee related aspects of information security hazards and uncover the areas which are ignored.
Firstly, to prevent a premeditated attack from happening, what’s the best thing which you can do? Well, give the attacker least chance to ‘premeditate’ or ‘social engineer’. The most convenient way for an attacker to gather information about your employees is through social media or by making casual indiscreet conversations. Taking example of the most recent Twitter hack, the social media platform announced that it might have been a victim of social engineering attack which could’ve further led to the success in hacking the twitter accounts of the high profile individuals and organizations.
An aware employee would limit what his connections can see on social media, and would take extra care about disclosing any personal or professional information in a conversation which might be used to guess his email ID, password, pin, etc. Now, in case the attacker gets past our first barrier and enters the ‘delivery stage’ of the incursion, we can have a cognizant employee ready for the encounter.
Over 60% IT decision-makers deem that phishing attacks are the most trivial way of delivering an attack. Nearly 62% of businesses became victims of phishing & social engineering attacks in 2018. Hackers are using quicker and more advanced technological tools to execute phishing campaigns. It just takes one person to access the phishing e-mail and share the confidential business data of the organization. The best chance we have of winning is by using phishing awareness tools, training, and learning management systems.
HOW CAN YOU ADDRESS THE CHALLENGE ?
Many security companies offer products which can be a pragmatic solution for this headache. Creating an email account where employees can send their queries related to cyber-security or forward suspicious-looking emails for review, can be a complementary control.
In case a malicious attacker somehow makes it to the ‘exploitation / installation’ stage, an effectively crafted user awareness program can be handy there too. Most exploits take advantage of the existing vulnerabilities of the software systems. Employees can be trained and strictly instructed to keep their softwares & operating system patched, firewall running, anti-virus updated and communicating by using a VPN. Specially, the companies who have a BYOD policy or have a work from home culture should abide to these rules, as it becomes the sole responsibility of the employees to keep their device updated. They should also be trained that in case an abnormal behavior is observed in their system, the best way to prevent things from going worse can be by shutting down the system immediately and disconnecting it from the network.
Your employees need to be educated, that more than their systems, they are under the chances of an attack. Minimal precautions like not using generic passwords which can be unraveled easily, password rotation and using multi-factor authentication can go a long way for protecting them as well the organization. A strict clear-screen and clear-desk policy should be in place and must be adhered to by your employees. For critical organizations, an unbiased person can be appointed, who keeps a check whether these policies are followed or not. Levels of actions could be set on misconduct of the policies.
Creative and effective solutions need to be in place to ensure proper awareness in the organization. Maintaining a cyber hygiene is an around-the-clock process. Employee awareness is not a program which tells people to be cowed to check their e-mails.
Also, make sure that your awareness content is measured. Providing safe mechanisms to collect real time data from the users, collecting feedback, assessing behavior change, etc. can be useful for assessing the effectiveness of your program. Mock drills should be conducted on periodic basis for preparing your staff about the incident response plans which the organization has in place.
Moreover, the word of caution would seem more serious if it comes from the higher management of the organization. Coming to the end, I believe one line is enough to synopsis and epitomize this blog: It is your choice to learn it the hard way, or to learn from the evident facts.
WHERE CAN WE HELP
We at ProgIST, have developed a one of a kind cloud platform “ProPhish”.Our offering to train your employees not to fall prey to the cyber-attacks, you can ensure that your first line of defense is well prepared not to get phished. ProPHISH provides threat simulation by recreating real life scenarios. This simulation helps in defining your existing employee awareness levels and basis on that, preparing a plan of action to increase employees’ knowledge levels. We offer ProPhish based Employee Awareness Programme (P.E.A.P) which addresses the key lacunas mentioned in this article. Some of the key features included in the programme are: