[BreachExchange] 5 Things Your Average Employee Doesn't Know About IT
Destry Winant
destry at riskbasedsecurity.com
Fri Aug 10 09:30:36 EDT 2018
http://it.tmcnet.com/topics/it/articles/2018/08/09/439080-5-things-average-employee-doesnt-know-it.htm
5 Surprisingly Basic IT Truths Your Average Employee Doesn’t Know
When you’ve spent a career working with computers, networking systems,
and the internet, it’s hard to imagine that there are people out there
who know absolutely nothing about the most basic topics and issues.
While merely problematic most of the time, this lack of knowledge –
which is typically more naivety than stupidity – can end up being
quite dangerous. All it takes is one or two slip-ups and a minor
problem can become a major hassle or security threat.
You won’t always know where your employees are insufficient until an
issue presents itself, but you may be able to get ahead of things a
bit by addressing the following commonly misunderstood topics.
1. Email Attachments Aren’t Always Safe
While less popular now than they’ve been in the past – thanks in large
part to the evolution of social media as the primary platform for
sharing ideas and content – email attachments are seriously
misunderstood.
The average person assumes that, if sent by a friend or colleague, an
email attachment is safe to download. (The same goes with links sent
in the body of an email.) However, as you are well aware, email
attachments are actually one of the common vehicles through which
computer viruses are spread.
Aside from teaching employees common sense – like don’t download a
random attachment from a sender you don’t know – it’s also smart to
educate them on how to identify high-risk situations. For example,
it’s never a good idea to download an attachment with an .exe file
extension unless you’re positive about what it is and where it came
from. Little bits of information like this can prove to be enormously
helpful.
2. Computers Can Spy On You
Most people think that their computers and devices are safe, so long
as they don’t download viruses or browse unsafe websites. But what the
average employee doesn’t know is that an infected computer can
actually be used as a tool for spying.
Whether via an email attachment or some other method of infiltration,
hackers can actually gain access to the cameras on computers and then
use them to spy on unsuspecting users. In the private sector, this
spying is often used for entertainment or sexual exploitation. In the
business world, the spying can reveal trade secrets or serve as a
method for launching a separate attack.
In addition to teaching internet users to avoid high-risk scenarios,
it’s wise to educate them on the basics of covering their cameras.
“Unless you are using video chat or taking photos, your camera should
be covered to protect against hackers and perverts,” InMyArea.com
explains. “If you forgot to cover your camera, be aware of when your
camera light is on. If you are not using a video or photo-based
application even if a window pops up saying your webcam is ‘running
tests,’ this light should not be on.”
This may seem like a minor issue, but it’s becoming much more
pervasive. The better you are at heading off these issues, the fewer
problems you’ll face.
3. Simple Passwords are Easy to Crack
Strong passwords are vital in today’s hostile cyber landscape. The
problem is that very few employees understand the significance (or
know what it looks like to practice good password hygiene). Helping
them understand passwords and how they often set off a domino effect
when compromised will increase your security.
One good rule of thumb is to require employees to change their
passwords every so often – perhaps every 60 or 90 days. You should
also prohibit repeat passwords and require a combination of
characters. At the very least, this will remove the low hanging fruit
that hackers like to go after.
4. Deleting Search History Isn’t Enough
Most employees think they’re using their computers and other
internet-connected devices in anonymity. What they don’t realize is
that you’re watching. Not in a creepy way, but in a manner that looks
out for the best interests of the company.
Some employees will think they can search for questionable things on
the internet – such as pornography, job offers, or gaming sites – and
then delete their history. What they don’t know is that you still
typically have access to this information.
Let employees know early and often that you can see what’s happening
on their computers. Not only will this hopefully cut down on frowned
upon behaviors, but it could actually increase productivity.
5. Software and Application Updates Matter
Does your average employee know that the two most likely reasons a
computer or user will get exploited is due to unpatched software or
some sort of social engineering event where an individual is tricked
into installing something they shouldn’t? In fact, these two issues
account for nearly 100 percent of all risk for a company or one of its
users.
Employees need to know that software and application updates – as
annoying as they may be – aren’t voluntary or insignificant. In fact,
if they don’t install these updates as they come out, they could be
opening the company up to massive risk. The more you drive this idea
home, the more they’ll take it seriously.
The Role of Education in Corporate IT
In a large corporation, the IT department has more responsibility than
it realizes. In addition to maintaining the proper systems and keeping
the company’s network and hardware in tip-top shape, your department
should also be investing in education.
Education can happen in a variety of capacities and formats. Some of
it is very informal, such as making an offhand comment when you
observe an employee do something inefficient or wrong. Other education
is quite formal – often happening in the form of courses, classes,
lectures, tutorials, and/or hands-on training.
However you choose to implement it is your choice, but make sure you
aren’t taking basic information and security practices for granted.
Not everyone has an IT background and certain things that you believe
to be common sense are actually misunderstood by most employees. Think
about this as you develop new and advanced security strategies for
your company.
More information about the BreachExchange
mailing list