What Should IT Security Awareness Training Cover? The Basics of Cyber Attacks
In our last article, we discussed the need for computer security awareness training for employees. In this article, we are taking a look at the topics that a good IT security awareness training program should cover. There are a variety of threats facing a company’s data, from wandering guests who happen upon an unlocked screen to malicious software that holds your data hostage until you pay up.
Some clever schemes involve impersonating an authority figure or repair technician, and some involve fake websites designed to mimic legitimate ones, tricking your employees into giving thieves log-in information. When your business’s data is on the line, you need to make sure your employees have the tools and knowledge to spot and avoid scams, social engineering, and other risks to your computer security.
Locking Computer Screens
One of the simplest ways you can improve your employees’ computer security is by instructing them on how to set timers and lock screens on their computers. This way, if the computer is left idle for the length of time specified, the computer locks and a password is needed to regain access to it. Make sure they understand that they should not set this timer for too long. We recommend setting it for around 10 minutes, 15 at the most, though some businesses in more sensitive fields, such as medical offices and financial institutions, should probably set these timers at around five minutes.
Remember to explain why they should set their computer timers this way, as it will prevent any unauthorized persons from coming across the computer and immediately having access to anything on it.
Phishing
Locking computer screens may be a good way to protect against passive, opportunistic thieves, but phishing is a more active form of cyber attack. Phishing scams are everywhere, and they are typically pretty simple. Most come in the form of emails with embedded links or short-form links that take victims to a site that looks almost the same as the legitimate one they expect to go to.
However, they’re fake, and any login information submitted on the impostor site will be sent to the attackers. This could include your employee portal or other important sites that could do damage to your business if compromised. Imagine if someone in accounting got a message urging them to log into the company’s bank account to verify a transaction, only to log in to a fake. The hackers then know how to gain access to your company’s finances.
Under most circumstances, though, these types of scams tend to be easy to avoid and spot. Misspellings in the e-mail tend to be a dead giveaway, as are generic greetings and requests for information that the sender should already have. Most phishing scams also include ultimatums or threats to urge victims to act quickly and without thinking. Best practices dictate that it’s best to just type the URL manually into the browser, rather than clicking a link, and to always check for the secure certificate (https) whenever using login credentials.
Baiting
This method of social engineering offers the promise of an item to entice potential victims to offer up their login information. For example, an employee could log into their personal email and find a free movie download waiting for them if they log into a site that seems legitimate – perhaps a store they frequent or something similar. Then, the attackers have their login credentials for that site, and if the victim saved a credit card on that site, the attacker can steal quite a bit of money in a matter of moments.
In a business situation, it’s not hard to see how this could be dangerous. Click baiting (leaving a cliffhanger headline to entice people to click out of curiosity) could lead to malware being downloaded onto an employee’s workstation. And baiting doesn’t have to be online. A USB drive left in a parking lot could entice an employee to, out of sheer curiosity, pick it up and plug it into a workstation. Upon doing so, this could allow the USB to install malware, ransomware, or key loggers. As a result, it’s critical that your employees know how to spot and avoid baiting schemes.
Ransomware
Ransomware operates in a number of ways, but the effect is always the same: it locks down your computer, encrypts sensitive files, and/or prevents you from using certain programs (like your browser or email) and demands money in some form or another in order to regain access.
Some of these are more subtle. One example of ransomware could be a seemingly legitimate virus scanner that “has detected a virus” and needs you to “purchase the full version” to get rid of it. You cannot close down the fake scanner and it returns to the scanner screen upon startup. On the other hand, some are much more direct, holding entire data servers hostage until a company pays a large amount of money to regain access. Worse, paying doesn’t guarantee that you’ll regain access, and paying makes you a target for more malware and scams.
The best steps you can take to prevent ransomware is to make sure your employees know not to open email attachments from unknown or unverified sources, install up-to-date antivirus and anti-malware software on all machines, and make sure all OS software is up-to-date as well. It’s also a good idea to back up important files to ensure that your company information is less susceptible to being held for ransom.
Other Important Ways You Can Train Your Employees to Protect Your Data
There are a number of other security protocols you should train your employees to know and do to prevent cyber attacks and mishandled information. For example, avoid sending large attachments in emails, and make sure that they use blind carbon copy (BCC) when sending emails to a large number of people. This way, employee emails remain secure and easy to read.
Be wary of IMs as well, even within company networks; never assume company IMs are private and make sure not to download anything that you cannot trust or verify. If anything sensitive is required by another employee, it’s safest to transmit it in person rather than online. It is also good to include password protection protocols in your online security awareness training, as well as requiring the use of two-step authentication wherever possible to keep company logins safe.
Ensure the Security of Your Data and Your Company with C1C
There are plenty of other ways you can keep your data and your company safe from outside attacks and intrusions, and C1C is here to help. With our customized access control systems, you can keep unauthorized personnel out of restricted areas, while our specially designed security and CCTV systems monitor activity and provide evidence in the instance of a break-in or other problem. Plus, we offer secure network and data center design services as well as advanced cloud services to back up your system. For more information about our services or a free consultation, call 855-TECH-C1C (855-832-4212) or contact us online.