Getting inside an organisation
Social engineering techniques are fast becoming one of the most popular ways for cyber criminals to ‘get inside’ an organisation. New threats are continually being developed and cyber security awareness training has got to keep up.
In our previous blog we looked at some of the popular techniques used by hackers to gain access to sensitive business information. They play on human emotion, reasoning and error rather than using technical skills to attack the business. But, are people always the weakest link in the security chain?
Having untrained employees in the workplace is a risk to cyber security. The rise in these types of attacks shows how important awareness training is, and reinforces the need for businesses to create a culture of cyber security in the workplace. Effective and memorable cyber security training focuses on real world examples and situations that employees can relate to, rather than endless PowerPoint slides. Help your employees understand why they are an attractive target for cyber attackers and how to detect suspicious activity.
Training needs to be carried out regularly, especially as new threats arise. Employees can also be tested on their knowledge as well as being sent fake phishing emails etc in order to test the success of the awareness training.
Following a security standard such as ISO27001 for information security also provides businesses with a system that has cyber security at its core, as well as policies and procedures to follow to ensure that the standard is being followed.
Cyber security 101
Every business needs a cyber security strategy and awareness training scheme that is regularly updated. This should create a culture of cyber security in the workplace that makes employees intuitive and hyper-aware of any potential threats to security.
Even the most simple measures will help to protect online security:
Continuous training – Keep employees up-to-date with all the latest security threats and how to react in certain situations.
Review process – Review existing processes, procedures and controls in the business often. Also ensure that incident management and reporting systems are always tested. User accounts, privileges and permissions should also be regularly monitored.
Multi-Factor authentication – Using multi-factor authentication means that the additional steps of security makes it so much more difficult for a hacker to break into online accounts. Use VPNs, SMS based authentication, app-based authentication, biometrics or YubiKeys for accessing sensitive company data.
Emails and attachments – All businesses should have strict policies which state that links and attachments received in emails should not be clicked on or opened. Anything that looks suspicious should be treated with caution. Awareness training should prepare employees for cross-checking and confirming news with other people if they were to receive a spear phishing email.
Passwords – We’ve all been told a thousand times, but password management really is a necessity when it comes to online security. Don’t use default passwords and use strong and secure passwords or a password manager.
Firewalls – Use a firewall to block any unauthorised access to computers or networks.
Anti-virus & system updates – Anti-virus software should be running constantly and reports should be taken to ensure that computers or equipment in use are not a threat. Always ensure that patches and updates are made to all computers.
Every business should create a culture of cybersecurity. The best line of defence against social engineering attacks is user education and layers of defence that detect and respond to attacks.