[BreachExchange] It’s coming from INSIDE THE HOUSE: 12 steps for your employees to become cyber-aware

[Audrey McNeil]

http://www.ohioemployerlawblog.com/2017/10/its-coming-from-inside-
house-13-steps.html

Do you remember the movie When a Stranger Calls?

The movie opens with a babysitter receiving a telephone call from a man who
asks, “Have you checked the children?” She dismisses the call as a
practical joke, but as they continue, and become more frequent and
threatening, she becomes frightened and calls the police. Ultimately, she
receives a return call from the police, telling her that the calls are
coming from inside the house.

(Cue ominous music)


October is National Cyber Security Awareness Month. And, according to one
recent study, employee negligence or other error is the cause of 41 percent
of all data breaches. Your data breaches are coming from inside your house.
The question is what are you going to do about it.

Here are 12 suggestions to help make your employees cyber-aware.

 1. Safeguard Data Privacy: Employees must understand that your privacy
policy is a pledge to your customers/vendors/etc. that you and they will
protect their information. Employees should only use data in ways that will
keep customer identity and the confidentiality of information secure.

 2. Establish Password Management: A policy mandating complex passwords,
changed regularly, is required for any workers who will access corporate
resources.

 3. Consider Two-Factor Authentication: Consider requiring multi-factor
authentication that requires additional information (i.e., an additional
pass-code delivered to a designated secondary device) beyond a password to
gain entry.

 4. Govern Internet Usage: Each organization must decide how employees can
and should access the internet, which balances employee productivity
against corporate security concerns.

 5. Avoid public and other unsecured wifi: An open wifi system is no
different than an unlocked house. Just as you would not leave your house in
the morning with the front door wide open, don’t leave your network exposed
by using open wifi networks.

 6. Manage Email Usage: Many data breaches result from employee misuse of
email, which results in the loss/theft of data or the accidental
downloading of viruses, malware, or ransomware. You need standards on the
use of emails, message content, encryption, and file retention. Moreover,
do not forget to train your employees on how to detect and deflect phishing
attempts—a cyber-criminal impersonating a trustworthy source in order to
steal credentials, or place malware on a system? Nearly 40 percent of all
employees report opening a suspicious email. “When in doubt, throw it out”
is a refrain you should drill into your employees’ heads.

 7. Establish an Approval Process for Employee-Owned Mobile Devices:
Ownership of smartphones has reached a critical mass. A “Bring Your Own
Device” program is no longer an option, but should be required. If
employees are going to bring personal devices into the workplace, and use
them to connect to your network, you need to deploy reasonable policies to
govern their use and protect your network and security (including the
ability to wipe clean a lost or stolen device), instead of ignoring the
issue or instituting prohibitions that employees will ignore anyway.

 8. Limit removable media and cloud storage: Removable and cloud storage
limit your control over the portability of your data. If you need portable
data, limit your employees to company-approved solutions that you can
monitor and control.

 9. Watch Social Media: All users of social media need to be aware of the
risks associated with social media. Social media presents a real risk of
corporate breaches of confidentiality. It is easy to tell your employees,
“Think before you click.” Yet, 76 percent of the Inc. 500 lack a social
media policy for their employees, and 73 percent of all employers conduct
no social media training. If you aren’t educating your employees about the
risks and benefits of social media, both in and out of the workplace, you
are not only missing a golden opportunity, but you also leaving yourself
exposed to breaches of confidentiality and other snafus.

10. Oversee Software Copyright and Licensing: Software usage agreements
oblige organizations to adhere to their terms, and you should make
employees aware of any software use restrictions. Also, employees should
not download and use software that has not been reviewed and approved by
the company (some of which could expose the company to viruses, malware, or
ransomware).

11. Terminating employment means terminating access: Employees must be
reminded that at the end of their employment, devices must be returned
immediately, or, if it’s an employee’s BYO device, it will be wiped clean
of all company information.

12. Report Security Incidents: Finally, all of the above goes out the
window if your employees do not know and understand when and how to report
a security breach (including lost or stolen devices), and how and when to
report malicious viruses, malware, or ransomware in the event it is
inadvertently imported. All employees must know how to report security
incidents and what to do to mitigate any damage.


Data breaches are not an if issue, but a when issue. You will be breached;
the only question is when the breach(es) will occur. While you cannot
prevent a data breach from occurring, you can and should train your
employees to sure up any knowledge gaps that further opens the risk they
inadvertently pose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171010/9d619bcd/attachment.html>