Why employees are your number one risk

在应对大大小小的安全事件超过15年的经验中, the actions of a user have contributed to the overwhelming majority of incidents I have been involved with.

As we know, 人为错误是妥协最常见的原因之一, and their actions can circumvent most every security control you have invested in. 数据泄露可以说是企业最大的威胁, security awareness training is critical to prevent your users from being your number one risk.

We’ve watched big name companies pay millions of dollars in settlements after security breaches and lose customer confidence. The most notable of these hacks from a credit card perspective being Target in 2013 and Home Depot in 2014.

When retail giants are hacked, we’re suddenly all aware that it could happen to us, too. 如果黑客能拿下这么大的企业,还有什么是他们做不到的呢? 我们烦恼了一段时间,很快,我们就忘记了. 那就是我们让漏洞从裂缝中溜走的时候.

不幸的是,黑客们正在等待这一刻的到来. 一旦我们放松警惕,他们就知道了, they can send a phishing email, find a vulnerability, 或者使用暴力或喷雾攻击明升体育app下载密码.

List of Quick Defenses

为了保证贵公司的安全 opportunistic and targeted attacks,我们编制了一份快速防御清单.

1. Enable two-factor authentication.

增加的安全层总是一个加分项. Two-factor authentication 由两种不同形式的标识组成. A factor can be:

  • 你知道的东西(密码、PIN码或安全问题)
  • 你有的东西(电话、钥匙卡或卡片)
  • 你是什么(一个生物特征因素,如指纹或声音识别)

This second level of authentication strengthens any login and gives you more peace of mind.

2. Use a VPN.

A VPN (virtual private network) is a great way to avoid possible attacks while using public WI-FI. 网络充当中间人,保护你的数据并更改你的IP地址. You’ll browse on public WI-FI without fear of hackers using the opportunity to steal your information.

vpn是远程工作或经常出差的员工的理想选择. vpn有免费和付费两种版本. 花点时间研究一下最适合你公司需求的社交网络.

3. Install security updates.

Without fail, security update windows pop up right in the middle of that important project you’re working on. The remind-me-later button is nearly a reflex, making sure it doesn’t slow you down. 毕竟,当你完成时,你会记得更新. Won’t you?

We’re all human. 不幸的是,这意味着我们都很健忘. When the pop-up comes back, 我们又要谈重要的事了, and the cycle continues.

Your computer’s security, and ultimately your company’s security, 取决于简单的漏洞被修复. A hacker could take the most insignificant vulnerability and turn it into a serious security incident.

花点时间保存您的工作并安装更新.

4. Use strong, varied passwords.

这可能是五个建议中最简单的一个. A strong password 有助于保护您免受黑客猜测您的凭据. We tend to use passwords that contain words easily found in a dictionary or maybe our pet’s name. 这是可以理解的,因为我们喜欢选择我们知道我们会记住的东西.

就像它让我们容易记住一样, this method makes it even easier for a hacker to guess your password and access your personal and work information. Even worse, if they guess that password, 而且你在多个账户上使用同一个账号, 他们现在很容易接触到大量的信息.

5. Train your employees.

问题不是“你的员工会不会被黑客入侵??而是“你的员工什么时候会被黑客入侵??” While employee actions can circumvent almost every security control you have invested in, security awareness training is critical to prevent your employees from being your number one risk. 用户通常是网络防御的最后一道防线, and there is no patch for people wanting to be helpful or wanting to do the right thing. 

In this podcast, I explain why ongoing employee security training is crucial to ensuring employees know how to spot a hacking attempt, 最终保护您的组织免受潜在的网络攻击. 

Listen to my Podcast Now 

Key takeaways: 

  • 为什么员工常常没有意识到他们在这个过程中有多重要 
  • How not enabling multi-factor authentication on remote access to email allows hackers to easily access employee email accounts 
  • 为什么91%的网络攻击是从鱼叉式网络钓鱼邮件开始的 
  • 为员工设置强密码的重要性 
  • 为什么备份数据是防止网络攻击的必要手段 

Subscribe to the Cybersecurity Sense Podcast on iTunes. 

HITECH回答文章-“你的员工如何让你被黑客攻击。?”

The HITECH Answers article covers some very good points of conversation to help support (or gain support) for your user awareness training initiatives.

  • Being lazy—Employees often feel that it’s not their job to worry about security, or that IT will protect them. 不幸的是,他们往往没有意识到他们在这个过程中有多重要. 许多组织经常缺乏足够的IT安全资源, 特别有能力应对来自国家的更复杂的攻击. Employees need to know they are the target for cyber-criminals to enable their ability to obtain sensitive information. Therefore, it is their responsibility to help the organization identify and thwart these attacks.
  • Unprotected email电子邮件黑客攻击仍然是最流行的网络犯罪之一, 有数百万甚至数十亿封被盗邮件, and subsequent emails credentials, for sale on the dark web. 最近的攻击,比如DNC,很快就浮现在我的脑海中. Employees often do not have multi-factor authentication enabled on their remote access to email, allowing hackers easy access to those email accounts if they have the stolen credentials. This is one of the most prominent attacks we are currently seeing in our incident response practice. Once a hacker is in that email account, 他们可以自由访问可能存储在帐户中的任何数据, 该个人身份信息(PII), credit card data, and additional log-in credentials, as well as the ability to send “trusted” email from that account to others to continue the attack to other organizations. 在大多数流行的电子邮件平台中,多因素验证是可能的. 启用多因素验证后, 一个代码将被发送到员工的手机上, 这样一来,网络罪犯就无法访问那个电子邮件账户了. Outlook web access is a place I strongly compel you to consider implementing multi-factor.
  • Phishing emails——来自网络安全公司PhishMe(现为Cofense), 91%的网络攻击始于鱼叉式网络钓鱼电子邮件. In these phishing emails, hackers design the email to look authenticated so the employee thinks it is coming from the real source it’s claiming to be, and sometimes, 它实际上来自一个合法的来源. These phishing emails may appear to come from credible companies’ customer support departments, such as Microsoft or Google, 或者甚至可能是来自他们的老板或同事. In many cases, 一旦员工陷入网络钓鱼骗局, 他们的电脑/移动设备感染了恶意软件, 或者他们向攻击者提供他们的公司凭证.
  • Lousy passwords-SplashData报告称,目前最常用的密码是123456. 这不仅是一个非常弱的密码, but people are often reusing their easy-to-crack password across multiple sites and accounts, as well as sharing them with co-workers. One part of most all our penetration tests is to use password spraying but gathering usernames and slowly trying common passwords for each, avoiding detection. Why do we do this? If often bears fruit.
  • No backup—There’s a good possibility that at least one employee in your company isn’t backing up the data he or she is supposed to be, which is a major problem. 这主要是由于重要数据在移动设备上的本地存储. 由于技术问题,不仅存在文件丢失的风险, 将这些文件丢失给网络罪犯也很危险. During a ransomware attack, a cyber-criminal locks the user out of their account and denies them access to their files unless a ransom is paid. Even after the ransom is paid, 不能保证文件将返回给用户, making backup files crucial.

Key Takeaways

  • 用户通常是网络防御的最后一道防线.
  • There is no patch for people wanting to be helpful or wanting to do the right thing.
  • Simply stated, train them:
    • Pre-texting
    • Phishing
    • Training
    • Baiting
    • Tailgating

References:

Your preparation could be the difference between smooth sailing and a huge financial and reputation loss. 你可以快速使用这些策略来加强你的防御. 有关该主题的更深入资源,请访问明升体育app下载免费指南, Breach: A Guide to Network Security, Best Practices for Prevention, Detection, and Response, is available for download.

内容由LBMC专业人士Bill Dean提供.

我们可以帮助您的企业免受黑客攻击. Contact LBMC Cybersecurity today to learn more!