6 Ways to Improve Employee Cyber Security Awareness, for Businesses and Schools

According to Accenture’s Cost of Cyber Crime Study, the average cost of cyber crime in the United States reached $21.22 million per organization last year (compared to $17.26 million the year before). But you can’t depend solely on your IT department for your cyber security. After all, a chain is only as strong as its weakest link. Improving cyber safety means increasing employee cyber security awareness throughout your entire business or school.

Here are the 6 top ways you can get your employees on board to increase engagement and improve employee cyber security awareness.

  1. Education

Do your employees or staff know:

  • Working remotely using an unsecure Wi-Fi connection leaves computers vulnerable to attacks?
  • Using personal, unsecured devices for work can open the door to compromising an organization’s network?
  • What employees say and do on social media can be tracked by cybercriminals and used against them in the workplace?

Chances are, some if not all of those points may surprise some people on your team. Most experts agree that the #1 key to cyber security compliance at a business or school is educating staff on the risks. For example, in addition to the above bullet points, does everyone on your team know how to spot a Phishing email (see our earlier blog post, How to Spot a Phishing Email), or the risks of using a thumb drive (see our post, USB Security Risks: When Flash Drives Become Dangerous)? An educated team, with increased employee cyber security awareness, makes for a more secure organization.

  1. Assign Mandatory Training

Recently we came across an article in Forbes Magazine that recommended, “Employees and management from all industries should be assigned mandatory cyber security compliance training every year.” This requirement can be administered with computer-based training modules and tied into annual reviews. When implementing training you’ll want to ensure executive and management support, a way to measure success, and also consider incentivizing participation (for more information, check out our earlier blog post, We’re Only Human: The Importance of Security Awareness Training.)

You may want to work with an outside partner to implement training, such as Single Path. We’re well versed in educating and training staff in the most up-to-date cyber security best practices.

  1. Establish and Promote Simple Procedures

More often than not, employees are happy to follow procedures as long as they are aware of them, and they are easy understand. Create organization-wide procedures for your team to follow. Make sure they are functional, actionable and simple.

Once you have those procedures in place, figure out the best way to communicate them within the organization. Keep communication friendly, and avoid hard-to-understand cyberspeak. Says Ashwin Ramasamy, co-founder of marketing intelligence company PipeCandy, “We use comic book-like imagery and sci-fi and comic language in posters across the office that reinforces the message without being suffocating.” Choose a method of communication that will resonate with your team.

  1. Encourage Reporting of Incidents

The best-trained employees can still fall for a hacking ploy from time to time, such as opening a file or clicking a link without thinking. Even IT professionals fall for these tricks. But if a user feels foolish for falling for an attack, and are embarrassed, he or she is less likely to report it. Create a reporting system that rewards staff for reporting suspicious messages, and that allows them to share mistakes without penalty or stigma.

  1. Have Employees Manage Initiatives

Rather than protocols created only by management, make cyber security policy an employee-managed initiative. Create a committee with representatives from every department, and make it their responsibility to set procedure, communicate policy and enforce compliance. Department participation, where everyone feels included, helps ensure individual buy-in.

  1. Make Awareness a Part of New-Employee Orientation

Employees expect to learn rules and processes when they start a new job, and making cyber security a part of their new-employee orientation stresses its importance, and immediately lays the groundwork for your expectations. An employee handbook is also a great place to publish protocols and procedures.

Your Employee Cyber Security Awareness Partner

To implement an employee cyber security awareness program it helps to have a proven partner. Single Path has helped countless businesses, schools and other organizations create a robust, living program that connects employees and staff to best practices. We can help you create a functional and effective cyber-threat strategy for your school or business. Single Path Security offerings are extensive, collaborative and modern.

Ask us how to get started!

How to Spot a Phishing Email

Business organizations and schools are under cyber attack. Just this past week, it was reported that the FBI uncovered a phishing email scam aimed at stealing funds from New Jersey state employee online payroll accounts. The emails requested employee login credentials, which the criminals could then use to redirect an employees’ direct deposits. A similar ploy was recently directed at school employees in Atlanta, and the FBI Internet Crime Complaint Center (IC3) has issued a public warning about phishing email payroll fraud.

The Telltale Sign of a Phishing Email

A simple request to confirm login data, such as in the recent New Jersey state employee scam, may seem legit at first glance. Often these emails may seem to come from the organization itself, a vendor or software provider, or another trusted source. Some of these phishing email schemes are amateurish, but others are more sophisticated and harder to detect. Here are some signs an email may not be on the up-and-up:

  • Subject lines that seem “too good to be true.” They probably are.
  • Subject lines that make threatening statements. Common phishing subjects are “Your account is about to close,” or “Final Warning.”
  • Non-personalized, generic introductions. Look for terms like “Hello Valued User” or “Attention Client.”
  • “From” addresses that may be misspelled or misconfigured. For example, the email may come from someone @ “company-corporation” or “cmopanycorporation” instead of “companycorporation.”
  • Direct links. Always go directly to the source rather than clicking on an email link, or hover over the link to check the actual long-form URL, and not the shortened version displayed in the email text. You may be surprised to see where the link is actually pointing.
  • If you’re not sure, follow your gut. A phone call or personal email confirmation to a colleague or vendor may not only confirm if an email request is on the up-and-up, but alert someone their email might be hacked.
  • And in all cases, never open unexpected attachments, which could have viruses or malware attached.

The FBI also suggests, in response to the New Jersey phishing email scheme, these additional precautions:

  • Employees should forward suspicious requests for personal information to the information technology or human resources department of their organization.
  • Ensure that login credentials used for payroll purposes differ from those used for other purposes, such as employee surveys.

Happy NCSAM

This month (October) is the fifteenth annual National Cybersecurity Awareness Month, an annual initiative to raise awareness about the importance of cybersecurity.

There is plenty of information you can find in support of NCSAM, but one report we found particularly helpful was the Cybersecurity Awareness Toolkit for Small and Medium-Sized Business, as published by the Cyber Security Alliance, Facebook and MediaPro. This toolkit includes a great deal of information on how to identify phishing email tactics.

The toolkit also splits organizational emails into three general buckets, with warnings on why these groups may be targets:

General Population Phishing. The best way into an organization’s network is through its employees, especially when their level of alertness to cyber crimes may be uneven.

HR Manager. HR professionals must be particularly wary when it comes to phishing emails seeking personal information, as they are often the keepers of employee tax and health documents.

Executive Phishing. As privileged users, many executives have greater access to an organization’s network, making them particularly attractive phishing targets.

Whether someone is on the top rung or still climbing the company ladder, their awareness of phishing email techniques can make a big difference in the security of an organization.

Phishing, Solved

We recently wrote a two-part blog post on phishing, and the most common techniques hackers are using to steal your information (check out our phishing blog post part 1 and phishing blog post part 2). Among those techniques we described were phishing email schemes, just like those in New Jersey and Atlanta.

No matter what phishing technique is used, everyone always thinks, “It won’t happen to me,” or, “I’m too smart to fall for that.” But even the best of us can make a mistake. So, what do you do when you mess up, or someone at your business or school organization does?

Contact Single Path. At Single Path, we are experts on beefing up your online security to protect your organization from malicious schemes including employee training of best practices, proactive desktop, server and network infrastructure patch management, and the installation of backup protection. We are also experts at helping you rebound from an attack or natural disaster. With Single Path Security offerings you have access to a wide range of collaborative and customized protective services. Let us help you avoid being victimized. After all, falling prey to a phishing email scheme is a mistake, but doing nothing to prevent it from happening may be an even bigger one.

Ask us how to get started!

Owt trap, noitneverp ssol atad fo tra eht dna noitpyrcne (Encryption and the Art of Data Loss Prevention, Part Two)

With cyberthreats on the rise, and hackers becoming more sophisticated, strategies to protect your files are critical—and encryption is a tool too important to ignore. In our last post, we explained the basics and importance of data encryption. Now, we will dive a little deeper into the different types of encryption strategies and options.

Symmetric vs Asymmetric

If you delve into the world of encryption, the two terms you will commonly find are Symmetric and Asymmetric, which are two different encryption methods. Symmetrical encryption is the older of the two. With symmetrical encryption, both parties need the same code to read the same file. This code can be a word or a series of letters. One party enters a code to encrypt the document, and the second party enters the exact same code to open it. Simple, right? It’s like making a copy of the same key. But what if you don’t know the other party? How do you share the code? Do you email it? Send it in the mail? What if that code is intercepted or falls in the wrong hands?

Asymmetrical encryption on the other hand, uses two different encryption keys—one to lock it, and one to unlock it. This is also referred to as Public-key cryptography. One person has a public key, which encrypts the message or file, while the person on the other ends holds a private key—the only key that can decrypt it. With this approach, since the code does not need to be shared, there’s less risk of the key being swiped by someone else.

One even newer form of encryption that is growing in popularity is Elliptic curve cryptography. This is a form of public-key encryption that is practically unbreakable. It’s a complicated subject, and technology information provider Arstechnica does as good of a job as any in explaining how this works but it’s a bit too complicated to get into here and takes advantage of concepts such as Extended Euclidean algorithms.

How do you want to Encrypt?

Encryption can be simple or complex. It can take very little processing power, or quite a bit. You can encrypt everything or only some things. You can encrypt them only some places or every place. Here are the basic options.

  • Full disk encryption (FDE): An entire hard drive is automatically encrypted. This is particularly useful for a laptop or machine that could be stolen. There are intermediate options for disk encryption, as well—folder encryption, volume encryption, etc.—that aren’t quite full-disk encryption, but in between.
  • File encryption: a way to encrypt data on a file-by-file basis. This is helpful for individual files that have to be shared or protected, while others do not.
  • End-to-end (E2E) encryption: This obscures the content of messages while it is in transit, so only senders and receivers can read it. Such encryption is now embedded into platforms like Facebook Messenger and Apple’s iMessage.
  • Encrypted web connections: The familiar ‘https://’ at the beginning of most URLs (along with the small padlock icon) means your web connection is using Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. This means the data you are sharing on that site, such as credit card numbers, are being encrypted.
  • Encrypted email servers: These are email servers that use S/MIME (Secure/Multipurpose Internet Mail Extensions) so they can send and receive encrypted messages, not just simple text messages.
  • Cloud Encryption: Cloud-Encryption software encrypts all data as it is stored on the cloud. It is still completely accessible (and vulnerable) on a computer, but not on the general network.

Key Management and Other Security Needs

As we detailed in our recent two-part posts on phishing strategies (Phishing Part One and Part Two), there are a great many malicious schemes out there, some more clever than others. So, having a solid encryption strategy will only go so far—you also need a system to keep your encryption keys safe. That’s why key management—the process of storing and keeping encryption keys protected but also accessible—is just as important as keeping the data itself safe.

Computer Weekly suggests the following protocols be kept in place:

  • Have one point of contact for cryptography; don’t spread it among operational users.
  • Ensure the central key repository is well protected.
  • Decide whether your outsourcer will have any role in key management, such as key pair generation, recovery of keys and escrow access.
  • Decide whether information security should manage keys as well as encryption policy.

What you need to know

As the data loss prevention experts at Digital Guardian wrote, “Companies and organizations face the challenge of protecting data and preventing data loss as employees use external devices, removable media, and web applications more often as a part of their daily business procedures. Sensitive data may no longer be under the company’s control and protection as employees copy data to removable devices or upload it to the cloud.”

Fortunately, you don’t need to be an expert on encryption and algorithms—you just need a partner that is. At Single Path, we’re adept at providing security offerings and tools for our clients, so that they are prepared for and protected against malicious attacks. We also provide proactive desktop and network infrastructure patch management, Security Risk Assessment, Managed Firewall Services and more. We’ll keep your data safe, and your organization worry-free.

Ask us how to get started!

We’re Only Human: The Importance of Security Awareness Training

The term ‘phishing’ became popular in the mid-1990s. It referred to fishing lures, because hackers used email ‘lures’ to hook passwords and other online information. The ‘ph’ was used instead of ‘f’ because some earlier hackers called themselves ‘phreaks.’ These emails were not usually successful, but the few successes were enough to entice many hackers to jump in.

While most of us are on guard for obvious phishing schemes, the sheer number of them, and their continued evolution, can make it a challenge to always be diligent. In fact, phishing—stealing someone’s online identity or information through email, telephone or text message by posing as a legitimate institution—has grown to be the number one cyber threat today.

In our recent post about Ethical Hacking, we detailed how one hacker called a law firm’s help desk technician posing as a partner and getting key password information in seconds. The law firm was fortunate the hacker was working for them, and didn’t have malicious intent.

Why is phishing so successful? You might say, it’s because we’re only human.

Your technology is only as secure as your people.

While technologies to protect against hacking have advanced at an impressive rate, programs to educate end users have lagged behind. As the Miami Herald reported in late 2016, “Organizational culture and human behavior have not evolved nearly as rapidly as technology. Cyber criminals continue to focus on improving capabilities to deliver malware and attacks that center on tricking individuals into allowing access to systems.”

This technique, called Social Engineering, has been part of most major cyberattacks in the U.S. over the last few years. According to technology firm Globalsign.com, “If you look closely at every reported breach in the past decade, you’ll notice something interesting. Almost every single one made use of phishing or another social engineering technique at some point during the attack.”

The rise of Security Awareness Training

Everyone has received emails that promise to wire some substantial sum, often in the millions of dollars, if only the recipient will provide their bank or personal information. Your immediate reaction may be, “Who would fall for this?” Unfortunately, there are lures that are much more sophisticated than that age-old ploy, and it just takes one mistake from one employee—one infected attachment opened or one link to a bogus website clicked—to put your entire organization’s data at risk. Emails may appear to come from a colleague, or supervisor.

One way to combat these vulnerabilities is with Security Awareness Training. The aim of such training is, as cited in an article from Government Technology magazine, “to condition employees not to click or open anything that looks remotely suspicious … Unlike security training, which focuses on teaching employees and testing their knowledge on a set of rules, awareness training focuses on changing human behavior and making security part of the workplace culture.”

Security Awareness Training is a rapidly growing field, with many resources available for business and organizations. For example, The University of Santa Cruz mandates that all their employees participate in a Cyber Security Awareness course, and the state of Missouri offers a monthly online program in which 40,000 employees participate.

Key factors to consider when implementing a Security Awareness Training Program, per an article from CSOonline.com, includes ensuring executive support, measuring or defining success, and incentivizing participation. Whenever, or however, your organization launches a Society Awareness Training Program, participation from every department is vital.

Get smarter about protecting your organization

In short, your organization’s successful technology security is only as strong as its weakest link, and that may very well be your staff. A well-designed and comprehensive Security Training Program may be instrumental to safeguard your network. At Single Path, we are experts in cyber security, and can design, run and implement a Security Training Program that is sustainable, effective and provides your company a high degree of confidence that your team has the tools in place to help keep your network and data safe. Single Path Security offerings are extensive, collaborative and can include any number of protective services from risk management to data loss prevention protocols. Let us show you how we can help you get smart about security.

Ask us how to get started!