All digital business involves digital risk, which has traditionally been mitigated using primarily technical controls to address technical attacks, such as vulnerability exploitation. There is, however, always a limit on how much technical security controls, such as firewalls, endpoint protection, application security, and cryptography, can achieve.
For example, exchange of documents with your business partners involves the risk of an attacker crafting malicious documents, pretending to be a business partner, and sending these documents to your end users, resulting in the compromise of their computer, identity theft, and possibly enterprise-wide infection. While we can lower this risk through document authentication, content scanning, and similar methods, these controls are not perfect, and the residual risk is often not addressed.
To address this residual risk, our end users must be enabled to be part of the security architecture. By being able to recognize unusual documents, unusual times at which they are sent, the lack of reasons for transactions, etc. they can form a formidable, intelligent defense that outclasses static defenses and artificial intelligence.
Traditional methods of addressing human aspects of security, by writing policies of expected and acceptable use, lack the efficiency of real-world training, and actual user testing.
Conscia’s security awareness solutions aim to provide just that: a simple-to-understand user curriculum, and methods to verify user understanding and compliance.
Conscia provides security awareness training and testing solutions that encompass the following:
- A broad catalogue of content in more than 30 languages
- On-demand, cloud-hosted, browser-based learning using interactive modules, gamification, and videos
- Automated assessment of learner content
- The ability to create training campaigns with deadlines
- Simulated attacks (for example, phishing campaigns)
- Security Awareness Training (EXAMPLE)
- Clean Desk Policy
- Bring-Your-Own-Device (BYOD) Policy
- Data Management
- Removable Media
- Safe Internet Habits
- Physical Security and Environmental Controls
- Social Networking Dangers
- Email Scams
Because at Consica we are conscious that no matter how great the technical solution is, the human aspect will always be the foundation.
Sensitive information on a desk such as sticky notes, papers and printouts can easily be taken by thieving hands and seen by prying eyes. According to the mandates of a clean desk policy, the only papers that should be left out are ones relevant to the current project you are working on. All sensitive and confidential information should be removed from the desk at the end of each working day. During lunch or any emergency departure during office time, all critical information should be placed in a locked desk drawer.
BYOD covers the employees’ personal computing possessions which might be used in a work setting. They may include mobile devices, audio players, digital cameras and various other portable electronic devices which could be utilized to steal sensitive data.
BYODs are also a part of “IT consumerization,” whereby a consumer’s hardware and/or software is brought into the organization. Ensuring the security of devices within BYOD is a daunting task. However, enterprises can achieve it by implementing a proactive security training program. This program should include the following best practices for your employees:
- From a security standpoint, each mobile device is not 100% secure.
- In addition to the devices themselves, the allowed applications on them should also be specified. Many freeware mobile applications are insecure.
- All employees should be aware of the fact that their BYODs are being monitored constantly and any malicious activity could alarm the security management
- The BYOD policy should include password protection to protect critical data in case of theft or damage. In addition, each device should be updated with the latest antivirus program
There are numerous types of data (such as a backup copy of customer contracts or mission statements) and a lot of employees may not be aware of this fact. These employees do not realize the significance of classified data. For example, from a financial standpoint, a backup copy of a customer contract is more important than a backup copy of a mission statement. Employees should learn about all the types of data so that they can understand their business criticality.
It’s more common than you think for employees to find a removable thumb drive or external hard drive in the parking lot, bring it inside and plug it into their computer to see who it belongs to, only to find the device was planted there to either destroy or take over their computer with malware. The secure usage of both personally owned devices and corporate devices is crucial. Unauthorized removable media may invite data security issues, malware infection, hardware failure, and copyright infringement.
Your corporate personnel must be educated about the menaces of unsolicited removable media and prohibited from accessing any stray media such as an external hard drive, even if it’s on a secured system.
Almost every worker, especially in tech, has access to the Internet. For this reason, the secure usage of the Internet is of paramount importance for companies. Security training programs should incorporate safe Internet habits that prevent attackers from penetrating your corporate network. Below is a list of some safe Internet habits for your employees:
- Employees must be conversant with phishing attacks and learn not to open malicious attachments or click on suspicious links. This is achieved by a deeper understanding of the warning signs of a phishing attack
- It’s better to disable pop-up windows, as they invite risks
- Users should refrain from installing software programs from unknown sources, especially links infected with malware. Nowadays, an overwhelming number of websites offer free Internet security programs that infect your system rather than protecting it
Security awareness isn’t just about what resides in your company’s computers or handheld devices. Employees should be aware of potential security issues originating in physical aspects of the workplace. This includes spatial awareness as well as physical components.
Examples of spatial issues include:
- Visitors or new hires watching as employees type in passwords (known as “shoulder surfing”)
- Letting in visitors claiming to be inspectors, exterminators or other uncommon guests who might be looking to get into the system (called “impersonation”)
- Leaving passwords on pieces of paper on one’s desk
- Leaving one’s computer on and not password-protected when leaving work for the night
- Leaving an office-issued phone or device out in plain sight
Physical security can also encompass physical aspects of the building, from keycard-enabled door locks to locked and secured data banks with regulation fire extinguishers and properly reinforced glass.
Nowadays, enterprises use social networking as a powerful tool to build a brand (either locally or globally) and generate online sales. Unfortunately, social networking also opens the floodgates for phishing attacks that can lead your company towards an immense disaster. For example, Facebook shared its users’ data without their permission to third-party apps developers. News Corp Australia Network reported on May 1, 2018 that it was not just Facebook, either: Twitter also sold users’ data to Cambridge Analytica Ltd (CA), a British political consulting firm that was influencing the U.S. 2016 elections.
To prevent the loss of critical data, the enterprise must have a viable social networking training program that should limit the use of social networking and guide employees regarding the menace of phishing attacks. In addition, ask your employees not to provide their credentials or login information to unknown sites or sites that are like the original one.
Email scams involve fraudulent and unsolicited emails that claim to offer a bargain for nothing. A scam email lures a user for the free offer, bogus business opportunity, guaranteed loans or credit, easy money, health and diet schemes and so forth.
The security training program of your organization has to include some tips for employees to make them aware of the email scams and educate them about avoiding these scams. Below is a list of tips your employees should know or learn:
- Do not trust unsolicited emails
- Do not send any funds to people who request them by email, especially not before checking with leadership
- Always filter spam
- Configure your email client properly
- Install antivirus and firewall program and keep them up to date
- Do not click on unknown links in email messages
- Beware of email attachments. If you get one from what looks like a friend, contact them independently to ensure that they sent it
A training session on malware should illustrate malware types and their implications. Malware types should include adware, spyware, viruses, Trojans, backdoors, rootkits, ransomware, botnets, logic bombs and armored viruses. Employees should learn how to identify malware and what to do if their device or network has been infected. The immediate response should be to turn off the system or device and inform the security management team.
A hoax is defined as a falsehood or deception that is fabricated deliberately to subterfuge and victimize the users. The attackers generally use hoaxes through emails to harm employees.
A hoax email often notifies users about supposed imminent threats. For instance, a hoax might inform you that your computer will be badly compromised if you don’t turn off it at 3 a.m. on Friday the 13th.
A useful training program should teach employees about hoaxes. Instead of trusting a hoax, employees should learn how to respond to them. Only emails that are verified by your security department and relevant to your corporate business should be trusted. In case of any threatening email, immediately alert your IT security department.
Why choose Conscia Security Awareness Training?
You will reap the following benefits using our security awareness solutions:
- Speed of deployment: Based on our cloud LMS, you can start deploying your awareness campaigns immediately.
- Actionable feedback: Based on assessment and tests, you can focus on specific weaknesses of your user population.
- Effectiveness: Based on our experience and tests, our solutions typically reduce your exposure to social-engineering by 10-15 fold.
Safer financial systems with Cisco
Cinnober is one of the world’s leading developers and providers of mission critical trading and clearing systems for stock exchanges, banks and clearing houses. Cinnober’s network is based on Cisco switches and a software defined architecture.
to SIEM or not to SIEM
One of the best tools in our detection catalogue is the SIEM. I believe that the SIEM industry has matured quite a lot during the last decade and so have the partners working with SIEM.
First line of defense with DNS Security
Wouldn’t it be great if you could protect the equipment in your network before connecting to the Internet! You have already taken the necessary measures. Still, it feels like something is still missing when it comes to the protection of your equipment …
For organisations aiming to stay ahead, choosing the right Data Center and Multicloud solutions is crucial.
Cyber Security is not only about avoiding risk. If done right, a security setup also helps the business stay ahead.
The network touches basically everything in any company. This makes it an ideal platform for improving security as well as business efficiency.
In the age of mobile and cloud, information should be available to employees on any device and in any place.