As a business owner, you have probably heard that your staff are the weakest link when it comes to security. In my opinion this is not true, your staff, if trained well, can be the most effective security you can have.
The key to success is how they are trained.
In this post, I will provide an approach to IT security training that I have used for many businesses, from sole traders to large multi-nationals and much in between, that has shown to be very successful.
The Key to Successful Training
The success of any business training program is to make it interesting to the attendees in a way that what they have learned can be applied to their personal life in some way.
Let’s be realistic – people are more focused on their friends and family than their day jobs.
So, if the training program gives value that can be applied to their personal life, including friends and family, then the training material will be remembered and applied far more successfully in their work environment.
For example, if your business IT security training program provides tips on how they can secure their home baby-cam through changing password defaults, then that will stick far more readily in their minds than telling them they need to change the password on business system default accounts.
The benefit to your business is that focusing on adding value to their personal life will provide a higher level of success that the staff member will apply the knowledge to their work environment.
Hopefully you can see the benefit of this approach instead of providing an IT security training program every 12 months where they must sit through a slide pack of boring statements about complying with the rules or face disciplinary action.
Topics Covered in the Training Program
Just to re-cap, the training program I am presenting is basic IT security training that all your staff and contractors should undertake.
The topics covered address some of the most prevalent and effective attacks such as ransomware, social engineering and other tricks that malicious people use.
Most attacks require the target user, such as your staff member, to perform an action in order to kick-off the attack such as clicking a link or attachment within an email, downloading software or divulging their password.
Of course, there are other types of attacks that don’t require the user to perform an action, but they will be covered in another post (Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses) and is not applicable for the IT security basics training program for your staff.
Here is the list of topics that will be presented:
- Keep software updated
- Think before you click
- Avoid getting tricked
- Use strong and unique passwords
- Don’t plug in unknown media into your computer
- Secure your computer (screen saver)
- Protect sensitive data
- Do not use public Wi-Fi or any public networks
For each topic, I will provide the business context as to why this topic is important to your business and for staff to be made aware of the topic. I will then present a “story” providing context on how the topic is relevant to their personal life and how the recommendations help towards protecting their family and friends if implemented. You can add in your own business statements at the end, if you wish, to provide some context to their obligations at work.
You don’t have to use every topic or all the content – just grab the bits that feel right to you. Also, change the text to suit your own businesses style of language as you may find my approach too informal for your tastes.
How you present the topics is up to you, though I have found that booking a one-hour group meeting just before lunch, and providing a free lunch, has been effective. A free lunch provides an incentive for people to stay and discuss the topics which helps reinforce the information into their memory.
To keep the momentum going after the meeting you could setup a business group in your collaboration software that allows for people to ask IT security related questions, both for business and home.
Other common reinforcement tools are posters covering one of the topics in this series using graphics and text that addresses the topic in a funny manner (I have found almost zero success in threatening you staff with disciplinary action – unless you are in the military or police force!!).
If your business does suffer an attack on the IT systems, be transparent and send out a summary email to all staff stating what happened and how it was fixed. This shows that attacks on IT systems are real.
So, let’s begin by covering the topics.
1. Keep Software Updated
A key requirement for a business is to implement a patch management process to ensure all IT systems are patched frequently to reduce the risk of vulnerabilities being exploited.
This is achieved by having a centralized patch management and deployment process which controls when patches are applied to devices with no action required by the end user.
If your business does not have a centrally controlled patch management and deployment function then you may be relying on each staff member to update their own computer.
This approach is not recommended, but it is common for small business to approach patching in this way. So, it will be important to set in the mind of your staff, the importance of patching at work by first addressing patching home IT systems.
Updating your software applications and operating system is one of the most important tasks you can perform to reduce the chances of your personal IT devices from being hacked.
Hackers break into your IT systems such as home computers, mobile devices, webcams, Internet enabled toys/smart TVs and other home appliances, and online security systems by exploiting vulnerabilities that are within the software running on the device.
Software is never 100% bug-free so the makers of the software constantly release patches that fix bugs in their software.
That is why patching is so important!
It’s the software bugs that can allow hackers to hack your IT devices!
One approach to make sure you are patching frequently is to check each software applications settings for an automatic update feature. If the software application provides this feature then you should enable it so you don’t have to remember to check for updates. All major operating systems such as Windows and Apple operating systems provide an automatic update feature – check that its enabled.
2. Think Before You Click
Clicking on an email attachment or link within an email is probably one of the most effective ways of getting a computer infected with malware such as ransomware.
Depending on the staff members role it can be almost impossible to not have to open email attachments; roles such as HR and finance receive emails with attachments all the time – CV’s for the HR department and spreadsheets for the finance team, for example.
What makes it even worse is that most anti-virus software is useless these days at stopping new malware because the speed at which new variants of malware are created is faster than the anti-virus vendors creating signatures and end-users downloading them to their device’s anti-virus application.
What can help is to first think before you click.
Thinking means applying context to the email before clicking.
Often friends and family will send videos, pictures and other attachments to share with us. Sometimes the person sending the email may not be the person you think it is. These days it’s very easy to send an email that looks like it came from someone else, containing an email attachment with a virus or a link to a webpage that is designed to infect your computer with a virus.
Also, sometimes a person’s email account is hacked and a baddie sends emails to the person’s contact list with a malware attachment or a link to an infected webpage.
So how can you trust the email came from who you think it is?
If you know the person then check if the tone, language and behavior feels right to you. For example, if the person normally writes using a certain style but the email you received is not using that style then you should be suspicious. If they don’t normally send attachments or the time of day the email was sent is strange or the level of grammar and spelling is different then you should be suspicious. Check with the person by ringing or texting them – don’t reply to the email!
If you don’t know the person then you should never trust the email until you are 100% sure that its safe, especially never open an attachment or click on a link within the email!
Don’t rely on your anti-virus application that it will stop all malware as it will not. Most anti-virus software cannot keep up with the amount of malware being created these days.
- If the email came from a person you know such as a friend or family member – your gut-feel should direct you as to whether you should trust the email and its contents. If you feel that the email just doesn’t feel like it came from the person you know then contact the person by phone or txt – never reply to the email.
- If you receive an email from someone you don’t know asking you to open the attachment or click on a link – don’t. If the email is of interest to you then do some research on the sender of the email via social media or a simple Google search.
- If the email feels wrong to you then trust your gut instinct.
3. Avoid Getting Tricked
Social engineering is a massive source of IT security breaches. One of the most well-known phone scams is the Microsoft support scam, which involves criminals ringing people and convincing the target that they are from Microsoft and that there is an issue with the targets computer. The criminal then instructs the target to download software that ultimately allows the criminal to have full access to the targets computer often with a goal to locate personal information and account credentials such as online banking account details.
Social engineering also extends to the business environment and can involve cons such as the Microsoft support scam, but also other social engineering tricks such as convincing the finance department to deposit large sums of money into the criminals account for payment or services that do not exist.
Another attack involving social engineering is hacking into a business’s email accounts and intercepting valid payment requests via email and replacing payment bank account details with their own, resulting in valid payments going into the criminal’s bank accounts.
How your staff can help protect the business against social engineering is that they should be able to detect when they are being targeted. This can involve taking a more cautious approach to people contacting them with instructions to change processes without going through correct channels. For example, a finance team member receiving an email from the CEO instructing them to pay a service provider an urgent payment using different bank account details. If this request is not going through the correct process then this will could be criminal activity.
Baddies know that most people are trusting of others, so they will use this to try and trick you into giving up valuable information or perform an action that can harm you and your family.
Baddies will often send an email or ring trying to convince you to share information that could harm you in some way. Types of tricks include:
- Impersonating a well-known business such as Microsoft claiming that your computer needs fixing and asking you to download software that is malicious, resulting in the baddie being able to access your computer to search for bank account details or other sensitive personal information.
- Family members that you know are overseas, contacting you via email with an urgent request for money, the email content’s tone or language does not feel like them.
Some of the tricks used can be very convincing so it’s important to take a deep breath and look at the current situation in your own time.
For example, if you receive a call from a stranger stating they are from a well-known company and that they are trying to get you divulge personal information or make changes to your computer, place them on hold and ask yourself if the company would really be doing this, even better if you have company then ask them their opinion to the caller’s intent.
- You should be very suspicious of anyone contacting you unexpectedly asking for any personal information or asking you to perform an action such as downloading software.
- Banks will never ask for your password, or for that matter – no business should ask you for your password – this includes the business which employs you.
- Software vendors would not contact you randomly and ask you to download and install software.
- Businesses should never ask for personal information unless you have initiated the conversion for reasons such as customer support.
4. Use Strong and Unique Passwords
Password management is one of the most important aspects of IT security for any business.
I would imagine that thousands of posts have been written about the need for strong passwords and the need for each account to use a unique password, so I will not repeat the recommendations here.
However, for your staff member, strong passwords and using a unique password for every account is a massive annoyance, especially when you consider how many accounts we all have requiring a password!
If you would like more ideas on password management then read my post: Realistic Password Management Tips
Why is it important to have a strong password for your accounts and never reuse a password?
The simple answer is that a weak password can be very easy to guess and baddies know that most people will reuse their password on many accounts to avoid the issue of trying to remember all their passwords.
But what you probably don’t know is that if you reuse your password many times ultimately a baddie will get hold of the password and then through researching social media and other resources use that password on your other accounts.
Not all websites are built the same, some websites don’t care too much about security and may store your password in clear text or use weak encryption so that it’s easy to get the password. If a baddie hacks a website that you use and weak security is used to store your password then there is a very good chance that your password is now known to the baddies.
But it gets worse.
Not only will they have your password but they will have some other personal details that was stored with the password such as your email address, name, date-of-birth etc…
All this information can be used to locate more information about you such as your social media accounts and other website accounts.
They will also attempt to use that password on the email account you used. So, if you used the same password as the website that was hacked the baddie will now have access to your email account and all your contacts!
Therefore, it’s very important to use a strong password and never reuse a password.
A weak password is something that can be guessed or is less than 7 characters long. Examples of weak passwords are: “password123“, “qwerty“, “letmein“, family members birth dates, family pets names etc.. It is extremely easy to guess weak passwords using specialized software that is freely accessible on the Internet.
A strong password normally comprises of a combination of lower and uppercase letters, numbers and special characters such as %, #, (, * and is at least 8 characters long.
If creating a strong and unique password sounds daunting then there any many free online password generators such as https://strongpasswordgenerator.com/
5. Don’t Plug-in Unknown Media Into Your Computer
Removable media such as USB memory sticks are often infected with malware and left in areas around the target business such as: the carpark, reception and other areas that staff members are known to frequent such as cafes.
If the infected device is plugged into a business computer there is a good chance that the infection will succeed, resulting in a “back-door” into your business IT systems.
This is not uncommon nor is it considered a sophisticated attack. There are devices that anyone can buy and use designed solely for this type of attack.
Your staff should be aware of the risk of inserting any removable device into their own computers as well as your business computers.
It’s important to note that they or a family member could infect their home computer and end up infecting your business computer as well via sharing files from the home computer with the business computer, even if they use different USB sticks. There are variants of malware that will silently infect any portable device plugged into an infected computer thus spreading the malware.
If you find a USB stick or other portable devices such as a portable hard-drive it’s important that you do not plugin it into your computer. Malware can infect portable devices such as USB sticks, so plugging it into your computer can result in your own computer being infected. Then, if you plug another device into your computer this device could be infected as well, ready to infect other systems.
The best action to take when finding a portable device is to hand it into the nearest authority so they can deal with it or leave it where it is.
6. Secure your computer (screen saver)
An unattended computer that has not being locked is a major security risk to a business especially if the computer in question is accessible to the public or visitors, for example computers at reception.
It can only take a matter of minutes for a malicious person to infect the computer by loading a web browser on the computer and visiting an infected web page.
Always have a screen saver activate after a certain number of minutes of inactivity, for example 15 minutes within a non-public environment or a maximum of 5 minutes for a computer within the public area.
Not activating the screen saver on your devices such as mobile phone, iPad or computer is dangerous especially if you accidentally leave the device in a public area.
It’s bad enough that you will probably never see the lost device again, but its far worse if the person who grabbed your unattended device has full access to your device’s apps because there was no screen saver activated requiring a password to unlock it.
Always set the screen saver to lock the device after a certain period of inactivity – its recommended that a maximum of 5 minutes of inactivity should activate the screen saver requiring a password to unlock it.
7. Protect sensitive data
Passwords, business bank account details, staff HR records, payroll data and other sensitive information must be securely stored at all times.
Often, I have seen passwords to software and important accounts shared between people via post-it notes or even a spreadsheet named “passwords.xls” stored within a shared drive with not even a basic file password protecting the contents of the file!
When a business is breached by a malicious person one of the first tasks they will perform is searching the network drives for password files.
Using a standard password lock on a file is not enough as the password protecting the file can be identified using simple brute forcing tools that will ultimately guess the password, normally in a matter of hours.
The use of a centralized password vault that is designed to protect sensitive information, not just passwords but also documents, is a must for any business. There are many benefits to using a password vault such as:
- Sensitive information is normally encrypted with very strong encryption ciphers so if the vault is stolen the encryption is almost impossible to crack.
- Access rights can be applied to each piece of sensitive information so only the people who need access to that information can access it.
- There are no synchronization issues with storing multiple copies of sensitive information in different files and/or locations. The password vault application will provide centralized management.
- Most password vault applications provide auditing features so every person who accesses a piece of sensitive information is recorded.
It’s very important to protect your family’s sensitive information such as online bank accounts details, financial information such as investment portfolio details, social security numbers and other information that can be used to not only steal your money but to also steal your identity which will be used for fraud.
Before we had computers, this information was stored under lock-and-key such as a home safe or a safe deposit box at a bank, however, most of us now store sensitive information on our computer.
The problem is that the computer was not designed to be a safe.
If your computer is stolen or accessed by hackers, and you have not taken steps to protect the sensitive data, then there is a very high chance that the criminal will have full access to that information on the stolen device.
How can you protect sensitive data stored on your computer?
Sensitive information can be protected by using a “virtual safe” such as a password manager application.
Password managers are applications which can store important information such as passwords, bank account details, social security numbers, or files securely.
Password management software can be installed on your computer but, the downside to this approach is that anytime you or someone else needs to access the information stored in the password management vault they need access to the computer.
For families, this can be annoying.
An alternative approach is to use one of the password management systems offered online. The key benefit to the online password management systems is that more than one person can access the vault at any time and on any device.
Some online offerings provide cool features such as a password generator and automatically filling in the password text box for online accounts. This means you can have strong and unique passwords that you don’t have to type into the password text box to log into an account, the system will automatically paste the password into the password text box!
Another cool feature is that most online password management systems allow for multi-factor authentication. This means you need your username and password and in most cases your mobile phone as well to receive a special one-time code. So, if your password gets discovered the person will still need access to your mobile phone in order to successfully log into your password vault.
8. Do not use public Wi-Fi or any public networks
Using public Wi-Fi hotspots including hotspots provided by hotels, cafes and other businesses should be treated as highly insecure. The amount of attack scenarios, free tools to set up rouge Wi-Fi access points and hack Wi-Fi transmissions and general poor security of Wi-Fi networks is considerable. Click here to see a product that anyone can buy, especially designed for creating rouge Wi-Fi access points.
If you or your staff need to use public Wi-Fi networks then, at the very minimum, a VPN should be used to protect the data flowing between your device and the access point.
If you can, try to avoid using public Wi-Fi hot-spots such as the ones offered by libraries, cafes and airports and other businesses.
Wi-Fi can be very easy to hack which means baddies can see some of your network traffic from your device or even control which websites you visit!
Some websites that you visit may not be using HTTPS or other encryption methods to protect the data flowing between your device and the mobile app or website. That means that the unprotected traffic could include your account passwords or other sensitive information!
If you need to use public or free Wi-Fi use VPN software so all your data is protected regardless of which websites you visit.