[BreachExchange] The 10 Essential Cybersecurity Training Issues for Your Employees

[Audrey McNeil]

http://www.workforce.com/blogs/3-the-practical-employer/post/21935-the-10-essential-cybersecurity-training-issues-for-your-employees

Do you know what the biggest threat is to your company’s cybersecurity?
I’ll give you a hint. It’s not the middle-aged man in a recent John Oliver
video I posted.

It’s your employees. Cyber attacks target the weakest link, and more often
than not that weak link is your employees.

According to CFO magazine, nearly half of all data breaches result from
careless employees. Whether it’s an employee using a company-issued laptop
on an unsecured wifi network, or an employee losing a password-unprotected
iPhone, your employees present the greatest risk to the security of your
company’s network and data.

What can you do about it? Train your employees. They need to understand the
risk of their carelessness, and the steps they can take to mitigate that
risk.

Here are 10 issues about which you should be training your employees right
now to limit your company’s cyber exposure.

1. Passwords are mandatory, and must be strong. Employees generally resist
having to enter a four-digit pin code every time they turn on their
iPhones. The iPhone’s recent fingerprint scanner makes this process
relatively frictionless. Your IT, legal, and risk management departments,
however, should require them, since they make it that much harder for
someone to access data on a lost or stolen device. If your organization
deals in confidential information (e.g., doctors, lawyers, etc.), this
requirement is that much more important (and might be mandated by law).

2. Manage email and attachments. Do your employees know not to open
attachments from unknown sources? Even the best and most up-to-date
security software will miss some viruses and malware. Your employees must
understand not to open any attachments unless they can 100 percent verify
the authenticity of the sender.

3. Fear phishing emails. Do your employees know how to recognize an
attempted phishing attack — a cyber-criminal impersonating a trustworthy
source in order to steal credentials, or place malware on a system? Nearly
40 percent of all employees report opening a suspicious email. “When in
doubt, throw it out” is a refrain you should drill into your employees’
heads.

4. Limit removable media and cloud storage. Removable and cloud storage
limit your control over the portability of your data. If you need portable
data, limit your employees to company-approved solutions that you can
monitor and control.

5. Avoid public and other unsecured Wi-Fi. An open Wi-Fi system is no
different than an unlocked house. Just as you would not leave your house in
the morning with the front door wide open, don’t leave your network exposed
by using open wifi networks.

6. Report lost or stolen devices immediately. IT must have the ability to
remote-wipe a missing mobile device. Guess what happens, though, if an
employee’s first call upon losing a phone is to their mobile carrier? The
carrier turns off the device, and your organization loses the ability to
remote wipe any data from it. Employees should be told that if they lose a
mobile device, their first call should be to IT so that the device can be
wiped of any corporate data.

7. Limit apps and programs. Ban the installation of apps other than from
the official iTunes App Store or Google Play, and limit software
installations to approve programs. It will limit the risk of the
installation of viruses, malware and other malicious code on the devices.

8. Back up everything. In the event of a cyber attack that shuts down or
kills your system, you need to have the ability to restore from ground
zero. You cannot do this unless you routinely back up everything.

9. Think before you post. Social media has irrovcably blurred the line
between public and private. This evisceration, however, does not mean that
your employees need to share everything. In fact, the more they share, the
easier it will become for a phisher to gain trust, and, therefore, access.

10. Terminating employment means terminating access. Employees should be
reminded that at the end of their employment, devices must be returned
immeidately, or, if it’s an employee’s BYO device, it will be wiped clean
of all company information.

Data breaches are not an if issue, but a when issue. You will be breached;
the only question is when it will occur. While you cannot prevent a data
breach from occurring, you can and should train your employees to shore up
any knowledge gaps that further opens the risk they inadvertently pose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160316/5dadc19d/attachment-0001.html>