[BreachExchange] Create your human firewalls
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Mar 7 19:58:26 EST 2016
http://www.seacoastonline.com/article/20160306/NEWS/160309471
Over the past two weeks, yet another new form of ransomware has been
circulating the Internet and multiple companies have fallen victim to the
scheme.
Ransomware is essentially an e-mail socially engineered to appear very
real, tricking you into opening an attachment or clicking a link to bring
malware onto your computer. From there, the malware encrypts your data,
making it inaccessible. The only solution is to restore from a backup or
pay a ransom to the criminals who create these threats to obtain a
decryption key to regain access to your data.
The real issue around these threats is not how well your IT infrastructure
is architected to prevent threats. Company networks with the best
firewalls, anti-virus software and threat prevention systems have still
fallen victim to these threats. This is because they are not only socially
engineered to get a user to do the wrong thing and infect their network,
they are also technically engineered to make their way past the network
defenses by tricking the user to make them appear like legitimate traffic
into the network. This is where the concept of the human firewall comes
into play.
I continue to say that you, the user of your computer, are the last line of
defense. You are the human firewall. Like a hardware firewall, you need to
be setup properly to defend yourself and this is where proper user
education about threats and how to defeat them are critical. In today’s
world, it is imperative that your company have a defined, regularly
scheduled and monitored employee training program when it comes to IT
security.
When designing and implementing an effective training program, consider
this simple example. There are four major forms of e-mail attacks that
target users. Phishing, spear-phishing, executive whaling and CEO fraud. In
this example, what each mean is not what’s important. If you asked members
of your staff if they know what each of these are and how they differ from
one another, would they know? Most likely not and this is just one type of
attack vector. There are many others. The key question then becomes, how do
you educate your employees so they know their risks, retain this
information and take proper action when they are attacked. It’s not an if,
it is a when.
When it comes to training your teams about IT security, try to avoid some
of the common mistakes. Don’t stick your head in the sand and hope all will
be well, it won’t. You also don’t want to throw training sessions, videos
or tests at your staff during impromptu breaks or lunch meetings. This type
of training needs to be treated with the same importance as the most
important report you have to deliver to your most important customer.
Develop a comprehensive training program that incorporates multiple aspects
of effective training methods. Combine your program with traditional
methods, effective technology and simulations to demonstrate the types of
risks your employees are likely to encounter. Start with a baseline that
you expect all employees to understand and grow from there. Be sure your
program includes random tests to validate your staff is retaining this
critical knowledge throughout the year. Be sure to get the buy-in of your
executive team as their support is crucial to the success of this program.
Also keep in mind, executives are a specific target and may need more
specialized training based on threats known to be targeting senior
executives.
The key message is not to rely on technology alone to protect your critical
information. Develop a solid and managed training program that will equip
your employees to be the human firewalls that will allow your company to
avoid falling victim to a breach, hack or theft.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160307/f48cd15a/attachment.html>
More information about the BreachExchange
mailing list