A lack of employee education, overlooking patch management and flouting security processes are leaving business vulnerable and posing a threat to network security and data protection. According to a government survey, nearly half of businesses in the UK have fallen victim to cyberattacks or security breaches in the last year[1]. Of these breaches or attacks, the most common involved fraudulent emails, attempts by scammers to impersonate the organisation online and viruses or malware. With many of these forms of attack seeming fairly rudimentary, it makes us question how many of the fundamental principles of cybersecurity businesses are ignoring. It is vital that IT managers address these issues, begin to re-educate employees on security procedures and reintroduce some of the basic principles of cybersecurity.
Considering one of the most common forms of cyberattacks is from fraudulent emails or phishing scams, it seems that many businesses have lost sight of the more common-sense practices that enhance cybersecurity. Therefore, it is necessary to re-educate employees on issues as basic as not opening spam emails or clicking on untrustworthy links. Tightening email spam filters and establishing a blocked senders list can take some of the impetus off employees, however it is important everybody is clued up on best practices and the risks to your business if these rules are flouted. Implementing best practices such as not opening emails if the recipient is unknown and not downloading files or clicking on links from suspicious sources are simple but effective.
It isn’t just employees in general who could benefit from re-education, in fact some IT departments would also profit from updating gaps in their knowledge and reassessing security procedures. In some instances, consultation from external IT professionals can be beneficial to get an overview of the company’s vulnerabilities and shortfalls in approaching cybersecurity. This shouldn’t be seen as a slight on IT managers, but rather as an opportunity to get a second opinion and find scope for improving existing policies.
Patch management is one of the procedures IT managers should place an increased emphasis on. In recent years, there have been many attacks which have exploited unpatched or out of date systems, highlighting the necessity to keep on top of this issue. Fortunately, developing a patch management process can be a fairly low budget, but highly effective way to stay on top of software updates and ensure the you don’t fall foul of unidentified vulnerabilities. There are several points to address as part of your patch management process, including having an accurate inventory through which you can identify which devices need to be updated when patches become available or indeed those that are obsolete and no longer have patches available. Once this in place you should consider developing a testing procedure, assign ownership of the process to individuals and document which patches have become available and when they have been deployed. Patch management should also be extended to mobile devices used for business, encouraging employees to activate update alerts immediately, rather than delaying.
Mobile device security on a whole is an issue IT managers should be taking more seriously. People now carry around more data on their mobile devices than ever before with many using personal devices for work emails and tasks. Fortunately, there are several methods IT managers can educate employees on to keep both company and personal mobile devices secure. Discourage employees from ‘jailbreaking’ devices as it will make them more susceptible to malware. As devices used for business often contain sensitive or confidential data, it is important to have a strategy in place should the device get into the wrong hands. All mobile devices should be installed with a wipe function which will enable all data on the device to be wiped remotely should it get lost or stolen and data should be automatically erased after a set number of password attempts to discourage hackers. Finally, anti-virus software should also be installed on mobile devices used for business, particularly Android devices. These policies are easy to implement and should be continually enforced in order to avoid the risk of data losses.
For IT managers, taking a closer look at the minutiae of cybersecurity and re-educating employees on simple but often overlooked procedures they can follow can mean the difference between secure networks and data and a business that is vulnerable to threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.