This might be hard to believe, but it is true: 59 percent of data breaches are happening not because of some smart hacker who wants to do harm to your company but because of your own employees.
In order to stop these incidents, you have to focus on two things (other than investing in new technology): set your internal processes and procedures correctly, and train your employees and make them aware of the security threats. In this article, I’ll focus on the second issue, which topics to include in your security training and awareness program.
The suggestions below are applicable regardless of whether your employees are using smartphones or computers, or if they’re using their own devices or company equipment.
Of course, your employees must use complex passwords, and must never tell these passwords to anyone.
This is because if their computer, laptop, smartphone, or any other device gets stolen, not only will the thief control all the data on this device – he will also be able to penetrate your company network and create havoc with your company data.
The best practice is to use special software called password managers because with such software, your employees will need to remember only one complex password, while the password manager will remember all the others. And the good thing is that one and the same password manager can be used for all the employee’s devices.
Further, for most important services like email and file sharing, your employees should use even more advanced techniques like two-factor authentication – such techniques are available for free these days from most of the cloud providers, and offer a higher level of security, even if the passwords get compromised.
These two-factor authentication systems can work together with a phone (by sending a text message to a legitimate user) or with special USB keys – without them, access to the account would not be allowed.
2) Network connection
Unfortunately, wireless connections have proved to be very unsafe. For example, your employees should avoid Bluetooth whenever possible because it has proved to be the easiest to break.
Public Wi-Fi networks are often not much better – hackers set up such networks in public places, claiming to be legitimate providers, with the purpose of gaining access to users’ Internet traffic. In this way, they can access all the passwords and other sensitive information. Therefore, one should be very careful which network to connect to.
If the home or office Wi-Fi network is used improperly, it can also be the cause of a security breach – again, the passwords at the router must be complex enough, and WPA2 encryption should be set.
The connection to the Internet through the mobile telecom provider (i.e., 3G or 4G) is considered to be the most secure wireless connection, but it is very often the most expensive. Of course, using a fixed line is more secure than any wireless connection.
There is one method that makes the communication much more secure at a relatively low cost: using the VPN service. This is a method where all the data that is transmitted is encrypted before it leaves the computer, so this is probably the best way to keep it safe.
3) Access to the device
Your employees should never provide access to their device to anyone else; OK, in some cases they will want to allow their spouses or children to access their computer for, e.g., playing games or shopping. But, in such cases, they should open a separate account on their operating system to allow this person to access the computer; such account may not have administrator privileges because then they will be enabled to (unintentionally) install malware.
Allowing someone to access the same account on a computer is a huge security risk. This person doesn’t have to do anything malicious – it is enough that they delete a couple of your files by mistake, or run some program that is not to be touched.
4) Physical security
Mobile devices, including laptops and smartphones, are the ones that are very often the target of thieves not only because they want to resell the device but also because they know the data on those devices can be far more valuable.
So, here are a couple of tips on how to protect a mobile device:
- Mobile devices should never be left in a car.
- They should be never left unattended in public places like conferences, airports, restrooms, public transport, etc.
- The devices should be kept with the user the whole time, or stored in a facility with no public access – e.g., a room or an office that is locked when no one is present.
5) Data encryption
No matter how careful your employees are, a laptop or a smartphone can still get stolen. This is why you should ask them to protect all of their data (or at least the most sensitive) with encryption. This is still not easy with smartphones but this feature is included in most computer operating systems – it just needs to be turned on.
Since most of the data is now transferred or archived through the cloud, encrypting such data also makes sense. Most cloud providers claim they do encrypt the data in their systems; however, it might be better to encrypt the data before it reaches the cloud – you never know how much the cloud provider can be trusted.
If data is lost, and everything else fails, backup is usually the last resort. In many cases, backup has saved not only days but also months or years of someone’s work.
So, make sure your employees have the right backup system in place (very often a simple cloud service will do), but also that the backup is updated regularly. One word of caution: having a backup system means that data is stored in at least two places – e.g., on a computer, and in the cloud. This means that keeping the data only in the cloud doesn’t constitute a real backup.
7) Software installation and patching
First of all, you should provide a list of allowed software to your employees, and allow the installation of only that software onto the devices that are used for business purposes. Very often, there are some games or utility software that are offered as free downloads on the Internet, only to be discovered later that they were used by hackers to inject viruses onto your employees’ computers with the purpose of extracting information.
Unfortunately, the approved software will also have security vulnerabilities, allowing malware to be installed on the device – this is why it is crucial to install all the security patches as soon as they are published. The best would be to ask your employees to set the updates to be installed automatically.
8) Basic security “hygiene”
There are some security practices that should be considered as normal, for instance:
- Your employees should install anti-virus software, and enable its automatic updating.
- The firewall on the computer should be turned on, and the traffic that is allowed should be chosen very carefully – only the applications that are trusted should be allowed to communicate with the Internet.
- Links in emails should be clicked very carefully – some links might take your employees to infected websites, and it is enough for a visitor to spend a fraction of a second on such a website for a virus to penetrate the computer.
- Similarly, surfing the Internet on suspicious websites should be avoided – as explained, some of the websites are developed with the sole purpose of spreading malware.
- Transferring data with USB flash drives should be avoided – they are the easiest way to infect a computer with a virus, because it is very difficult to stop such a malicious program once the device is physically connected to the computer.
Invest wisely in your security
No matter how you train your employees and how you make them aware of security, remember the most important thing: simply purchasing the new technology won’t increase your level of security. You also have to teach your people how to use that technology properly, and explain to them why this is needed in the first place. Otherwise, this technology will only become what business owners fear the most—a wasted investment.
About the Author: Dejan Kosutic leads the 27001Academy.com team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits and books.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.