[BreachExchange] The top 5 security tips you must pass along to your staff

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 24 14:58:59 EDT 2016


http://www.bizjournals.com/pacific/how-to/technology/2016/06/top-5-security-tips-pass-along-to-staff.html

Raise your hand if every single member of your organization is supremely
tech-savvy and 100 percent up-to-date with the latest trends and threats
that are out there.

No one?

OK, then let’s talk.

We all know that cyber threats are only increasing in quantity and
sophistication as time goes on. And hopefully at this point we have also
accepted that no business is too small to be the target of these attacks.

Putting the proper technical controls in place to secure your network is a
great start, but your greatest vulnerability will always be your people.
That’s why it’s your responsibility as a business owner to make sure your
staff is educated enough to keep your data safe.

While regular, professional training is ideal wherever possible, you must
at minimum make sure your staff knows to:

1. Use strong, unique passwords

In 2015, despite all of the headlines and hubbub about data breaches, the 5
most popular passwords were “123456,” “password,” “12345678,” “qwerty,” and
“12345.”

Don’t let these be the only thing between hackers and your data. Create
apassword policy, and have your IT team help you enforce it across your
network and applications. If there are concerns about memorizing so many
different passwords, outfit your staff with a password manager like
PasswordBox or Dashlane.

2. Lock their computers when they step away

How easy would it be for someone today to walk into your office, go up to a
computer, and access sensitive, proprietary information from your network?
To make changes? To send bogus emails?

According to the International Facility Management Association, around 70
percent of offices today have open floor plans. So, chances are it wouldn’t
be all that difficult. Train your staff to lock their machines every time
they leave their space — even if it’s only for a moment — and set a central
information technology (IT) policy to automatically lock machines after
inactivity as backup.

3. Call to verify suspicious emails

Email spoofing has cost businesses nearly $750 million between October 2013
and August 2015. Just this April, my chief operating officer received a
message from my email address requesting he wire nearly $20,000 to a bank
account in Missouri.

We can no longer take for granted that an email is truly coming from its
apparent source, and we must approach any email that feels even the
littlest bit “off” with serious caution. In this example — besides the fact
that I would never request a wire transfer — the very formal, very
uncharacteristic “kind regards” in the email signature was a dead giveaway
that the message was forged.

Before clicking attachments, links, or sending any money or sensitive
information, your staff should know to call the supposed sender to verify
that the original message is legitimate. (And make sure your team members
accept these calls graciously so as not to discourage the practice.)

4. Turn their machine off immediately if they’ve been compromised

If you aren’t able to prevent an attack in the first place, the next best
thing is to stop it from spreading to the rest of your network.

If ever a staff member suspects that their machine is infected with any
kind of malware, be sure they know to (1) shut their machine off, and (2)
call your IT team. The more time you lose to panic or confusion, the more
time that malware has to infect the rest of your environment.

5. Save their files where they’ll be backed up

Does your backup system touch every staff member’s local drives? Their
desktops? Network drives only?

Check with your IT team to see where your staff should be saving their
files, and discuss this with every staff member as part of their
onboarding. Remember: Backups are your only defense if you’re hit with
ransomware, or if disaster strikes.

These are simple practices, but they won’t be top-of-mind unless you
incorporate them into your standard training routine and your corporate
culture. Your IT team should be able to help you with this, too.

Above all, don’t let the fate of your company’s data rest on assumptions
and good intentions. The risk is far, far too high.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160624/7704e2c5/attachment.html>


More information about the BreachExchange mailing list