We recently published a white paper exploring the best ways to mitigate your risk of becoming a ransomware target.
However, if you’re an IT master, you’re probably already familiar with a good chunk of our recommended practices (we still think you should check it out though). The real challenge, you’re thinking, is not implementing firewalls, disabling PowerShell, etc. The real challenge is getting the ordinary user to act like they have half a brain when it comes to using company tech.
Yes, malware’s greatest advantage is the victim’s own employees. IBM reports that company insiders were responsible for 60 percent of all cyber attacks in 2015. Just look at the damage that one individual dealt on medical-testing facility LabMD: “Upon investigation, the company discovered the unwitting culprit: an employee had downloaded a peer-to-peer sharing program… of course, the means for sensitive client data to leave the network” (source).
Now, if it seems obvious that using a p2p program on your company network is a bad idea, take a moment to grasp the fact that you’re in the minority. The common user will rarely ever exercise the same vigilance against malware as an IT professional, but there are simple steps to promote information security awareness across the workplace.
Let Them Know The Stakes
Many employees won’t use caution simply because they don’t have a clear understanding of what’s at risk. Educate your team on exactly what they are responsible for protecting and the real world consequences of failing to do so, be it payment card info, personal records, intellectual property, or other kinds of valuable data.
Promote Active Caution
If it looks fishy, don’t click. There’s something to be said for simply maintaining an active suspicion of the many sites you’ll visit online. After all, the Internet is a big place that’s full of strangers, and you shouldn’t accept gifts from them any more than you should accept candy from strangers at the bus stop. Teach your staff the signs of a malicious site, but also remind them that even reputable websites can be compromised:
• Request for personal info
• Too-good-to-be-true deals or prices
• No signs of real world existence (contact info, address, work hours)
• Appended domain names (ex. www.google.malware.com)
• Redirects from the original URL
• Bad grammar or spelling
It’s critical for your team to be heedful of common social engineering techniques like spear-phishing and whaling. Overall, they should be suspicious of anyone trying to establish trust with them online.
Be Mindful Of Physical Security
Protection of physical hardware is just as important as the actions taken in the virtual world. As a general rule you shouldn’t leave your computer unattended if you can help it, but there are plenty of ways to ensure no one gains access to your machine while you are away or after hours. A few of many: timed desktop locks, multi-factor authentication, and simply making sure the office is locked when the last person leaves. And for the love of god, don’t use the flash drive that you found laying in the parking lot.
Have a Good Security Policy and Enforce It
This is an obvious one, but its importance cannot be overstated. In many businesses, a policy is forgotten immediately after it’s signed, so require some sort of acknowledgement beyond just a signature to make sure they have processed the information. A good policy is critical to an effective security plan, it will:
• Define what information security means at your business
• Include clear and concise expectations of staff
• Describe clear and appropriate discipline for offenses
• Meet industry security compliance standards
• Encourage good practices in personal use
Remember to lead by example. Upper management and brass need to follow the same rules; a policy will quickly loose its meaning if staff don’t see it enforced at all levels. An effective policy starts at the top.
Your employees should be crystal clear on the difference between what is policy and what is a recommendation, and you must actually enforce the policy. On the flip side, it’s equally as important to reward compliance in whatever form praise may take at your business.
We could go on forever on how to make the common user more aware of the dangers of unprotected techs, but the points above will hopefully help you sleep a little sounder at night. If you’d like to read our free white paper on preventing ransomware, it’s available here.