IT Security Basics: A Basic IT Security Awareness Program for Your Employees
As a business owner, you have probably heard that your staff is the weakest link regarding security. In my opinion, this is not true, your staff, if trained well, can be the most effective security you can have.
The key to success is how they are trained.
In this post, we will provide an approach to IT security training that we have used for many businesses, from sole traders to large multinationals and much in between, that has shown to be very successful.
The Key to Successful Training
The success of any business training program is to make it enjoyable to the attendees so that what they have learned can be applied to their personal life in some way.
Let’s be realistic – people focus more on their friends and family than their day jobs.
So, suppose the training program gives a value that can be applied to their personal life, including friends and family. In that case, the training material will be remembered and used more successfully in their work environment.
For example, suppose your IT security training program provides tips on how they can secure their home baby-cam through changing password defaults. That will stick far more readily in their minds than telling them they need to change the password on business system default accounts.
The benefit to your business is that focusing on adding value to their personal life will provide a higher level of success that the staff member will apply the knowledge to their work environment.
Hopefully, you can see the benefit of this approach instead of providing an IT security training program every 12 months where they must sit through a slide-pack of bland statements about complying with the rules or face disciplinary action.
Topics Covered in the Training Program
To re-cap, the training program we am presenting is basic IT security training that all your staff and contractors should undertake.
The topics covered address some of the most prevalent and effective attacks such as ransomware, social engineering and other tricks that malicious people use.
Most attacks require the target user, such as your staff member, to act to kick off the attack, such as clicking a link or attachment within an email, downloading software, or divulging their password.
Of course, other types of attacks don’t require the user to act. Still, they will be covered in another BusinessArticles blog post called “Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses” and does not apply to the IT security basics training program for your staff.
Here is the list of topics that will be presented:
- Keep software updated
- Think before you click
- Avoid getting tricked
- Use strong and unique passwords
- Don’t plug in unknown media into your computer
- Secure your computer (screen saver)
- Protect sensitive data
- Do not use public Wi-Fi or any public networks
For each topic, we will provide the business context as to why this topic is important to your business and for staff to be aware of the issue. we will then present a “story” providing context on how the issue is relevant to their personal life and how the recommendations help protect their family and friends if implemented. You can add your business statements at the end, if you wish, to provide some context to their obligations at work.
You don’t have to use every topic or all the content – grab the bits that feel right to you. Also, change the text to suit your business’s language style, as you may find my approach too informal for your tastes.
How you present the topics is up to you, though we have found that booking a one-hour group meeting just before lunch, and providing a free lunch, has been effective. A free lunch offers an incentive for people to stay and discuss the topics, which helps reinforce the information in their memory.
To keep the momentum going after the meeting, you could set up a business group in your collaboration software that allows people to ask IT security-related questions, both for business and home.
Other standard reinforcement tools are posters covering one of the topics in this series using graphics and text that funnily addresses the topic (we have found almost zero success in threatening your staff with disciplinary action – unless you are in the military or police force!!).
If your business does suffer an attack on the IT systems, be transparent and send out a summary email to all staff stating what happened and how it was fixed. This shows that attacks on IT systems are accurate.
So, let’s begin by covering the topics.
1. Keep Software Updated
A business must implement a patch management process to ensure all IT systems are patched frequently to reduce the risk of vulnerabilities being exploited.
This is achieved by having a centralized patch management and deployment process, which controls when patches are applied to devices with no action required by the end user.
If your business does not have a centrally controlled patch management and deployment function, you may rely on each staff member to update their computer.
This approach is not recommended, but it is common for small businesses to approach patching this way. So, it will be essential to set in the mind of your staff the importance of patching at work by first addressing patching home IT systems.
Updating your software applications and operating system is one of the most important tasks you can perform to reduce the chances of your personal IT devices being hacked.
Hackers break into your IT systems, such as home computers, mobile devices, webcams, Internet-enabled toys/smart TVs and other home appliances, and online security systems by exploiting vulnerabilities within the software on the device.
Software is never 100% bug-free, so software makers constantly release patches that fix bugs in their software.
That is why patching is so important!
Software bugs can allow hackers to hack your IT devices!
One approach to ensure you are patching frequently is to check each software application’s settings for an automatic update feature. If the software application provides this feature, you should enable it so you don’t have to remember to check for updates. All major operating systems, such as Windows and Apple provide an automatic update feature – check that it’s enabled.
2. Think Before You Click
Clicking on an email attachment or link within an email is probably one of the most effective ways of getting a computer infected with malware such as ransomware.
Depending on the staff member’s role, it can be almost impossible not to open email attachments; functions such as HR and finance receive emails with attachments all the time – CV’s for the HR department and spreadsheets for the finance team, for example.
What makes it even worse is that most anti-virus software is useless these days at stopping new malware because the speed at which new variants of malware are created is faster than the anti-virus vendors creating signatures and end-users downloading them to their device’s anti-virus application.
What can help is to first think before you click.
Thinking means applying context to the email before clicking.
Often friends and family will send videos, pictures, and other attachments to share with us. Sometimes the person sending the email may not be who you think he is. These days it’s straightforward to send an email that looks like it came from someone else, containing an email attachment with a virus or a link to a webpage designed to infect your computer with a virus.
Also, sometimes a person’s email account is hacked, and a baddie sends emails to the person’s contact list with a malware attachment or a link to an infected webpage.
So how can you trust the email from who you think it is?
If you know the person, check if the tone, language, and behavior feel right. For example, if the person writes typically using a particular style, but the email you received does not, you should be suspicious. If they don’t usually send attachments, the time of day the email was sent is strange, or the level of grammar and spelling is different, you should be suspicious. Check with the person by ringing or texting them – don’t reply to the email!
If you don’t know the person, you should never trust the email until you are 100% sure that it’s safe, especially never open an attachment or click on a link within the email!
Please don’t rely on your anti-virus application that it will stop all malware, as it will not. Most anti-virus software cannot keep up with the amount of malware created.
When the email came from a person you know, such as a friend or family member – your gut feeling should direct you to whether you should trust the email and its contents. If the email doesn’t feel like it came from the person you know, contact the person by phone or text – never reply.
Shoud you receive an email from someone you don’t know asking you to open the attachment or click on a link – don’t. If the email is of interest to you, then do some research on the sender of the email via social media or a simple Google search.
If the email feels wrong, trust your gut instinct.
3. Avoid Getting Tricked
Social engineering is a huge source of IT security breaches. One of the most well-known phone scams is the Microsoft support scam, which involves criminals ringing people and convincing the target that they are from Microsoft and that there is an issue with the targets computer. The criminal then instructs the target to download software that ultimately allows them full access to the target’s computer, often to locate personal information and account credentials such as online banking account details.
Social engineering also extends to the business environment. It can involve cons such as the Microsoft support scam, but other social engineering tricks, such as convincing the finance department to deposit large sums of money into the criminal’s account for payment or services that do not exist.
Another attack involving social engineering is hacking into a business’s email accounts, intercepting valid payment requests via email, and replacing payment bank account details with their own, resulting in proper payments going into the criminal’s bank accounts.
How your staff can help protect the business against social engineering is that they should be able to detect when they are being targeted. This can involve taking a more cautious approach to people contacting them with instructions to change processes without going through the correct channels. For example, a finance team member receives an email from the CEO instructing them to pay a service provider an urgent payment using different bank account details. If this request is not going through the correct process, then this will could be criminal activity.
Baddies know that most people trust others, so they will use this to try and trick you into giving up valuable information or performing an action that can harm you and your family.
Baddies will often send an email or ring to convince you to share information that could harm you somehow. Types of tricks include:
Impersonating a well-known business such as Microsoft claims that your computer needs fixing and asks you to download malicious software, resulting in the baddie being able to access your computer to search for bank account details or other sensitive personal information.
Family members you know are overseas, contacting you via email with an urgent request for money, the email content’s tone or language does not feel like them.
Some of the tricks can be very convincing, so taking a deep breath and looking at the current situation in your own time is important.
For example, if you receive a call from a stranger stating they are from a well-known company and that they are trying to get you to divulge personal information or make changes to your computer, place them on hold and ask yourself if the company would be doing this, even better if you have company then ask them their opinion to the caller’s intent.
You should be very suspicious of anyone contacting you unexpectedly asking for personal information or asking you to do activities such as downloading software.
Banks will never ask for your password, or for that matter – no business should ask you for your password – this includes the business which employs you.
Software vendors would not contact you randomly and ask you to download and install the software.
Businesses should never ask for personal information unless they have initiated the conversion for reasons such as customer support.
4. Use Strong and Unique Passwords
Password management is one of the most important aspects of IT security for any business.
We imagine thousands of posts have been written about the need for strong passwords and each account to use a unique password, so I will not repeat the recommendations here.
However, for your staff member, strong passwords and using a unique password for every account is a massive annoyance, especially considering how many accounts we all have required a password!
If you would like more ideas on password management, then read my post: Realistic Password Management Tips
Why is it essential to have a strong password for your accounts and never reuse a password?
The simple answer is that a weak password can be straightforward to guess, and baddies know that most people will reuse their passwords on many accounts to avoid the issue of trying to remember all their passwords.
But you probably don’t know that if you reuse your password many times, a baddie will ultimately get hold of the password and then, through researching social media and other resources, use that password on your other accounts.
Not all websites are built the same; some websites don’t care much about security and may store your password in clear text or use weak encryption, so getting the password is easy. If a baddie hacks a website that you use and fragile security is used to store your password, then there is a perfect chance that your password is now known to the baddies.
But it gets worse.
Not only will they have your password, but also some other personal details stored with the password, such as your email address, name, date of birth, etc
All this information can be used to locate more information about you, such as your social media accounts and other website accounts.
They will also attempt to use that password on your email account. So, if you used the same password as the website hacked, the baddie will now have access to your email account and all your contacts!
Therefore, using a strong password and never reusing it is essential.
A weak password can be guessed or is less than seven characters long. Examples of weak passwords are: “password123“, “qwerty,” “letmein,” family members’ birth dates, family pets’ names, etc. It is straightforward to guess weak passwords using specialized software freely accessible on the Internet.
A strong password typically comprises a combination of lower and uppercase letters, numbers, and special characters such as %, #, (, * and is at least eight characters long.
If creating a strong and unique password sounds daunting, many free online password generators like ‘strongpasswordgenerator.org’ exist.
5. Don’t Plugin Unknown Media Into Your Computer
Removable media such as USB memory sticks are often infected with malware and left in areas around the target business, such as the car park, reception, and other areas that staff members are known to frequent such as cafes.
If the infected device is plugged into a business computer, there is a good chance that the infection will succeed, resulting in a “back door” into your business IT systems.
This is not uncommon, nor is it considered a sophisticated attack. There are devices that anyone can buy and use designed solely for this type of attack.
Your staff should know the risk of inserting any removable device into devices and business computers.
It’s important to note that they or a family member could infect their home computer and end up infecting your business computer via sharing files from the home computer with the business computer, even if they use different USB sticks. Various malware will silently infect any portable device plugged into an infected computer, thus spreading the malware.
If you find a USB stick or other portable device, such as a portable hard drive, you mustn’t do plugin it into your computer. Malware can infect mobile devices such as USB sticks, so plugging it into your computer can result in your computer being infected. Then, if you hit another device into your computer, this device could be infected as well, ready to infect other systems.
The best action to take when finding a portable device is to hand it in to the nearest authority so they can deal with it or leave it where it is.
6. Secure your computer (screen saver)
An unattended computer that has not been locked is a significant security risk to a business, especially if the computer in question is accessible to the public or visitors, for example, computers at reception.
It can only take minutes for a malicious person to infect the computer by loading a web browser on the computer and visiting an infected web page.
Always have a screen saver activate after a certain number of minutes of inactivity, for example, 15 minutes within a non-public environment or a maximum of 5 minutes for a computer within a public area.
Not activating the screen saver on your mobile phone, iPad or computer is dangerous, especially if you accidentally leave the device in a public area.
It’s bad enough that you will probably never see the lost device again. Still, it’s far worse if the person who grabbed your unattended device has full access to your device’s apps because no screen saver was activated, requiring a password to unlock it.
Always set the screen saver to lock the device after a certain period of inactivity – it’s recommended that a maximum of 5 minutes of inactivity should activate the screen saver requiring a password to unlock it.
7. Protect sensitive data
Passwords, business bank account details, staff HR records, payroll data, and other sensitive information must be securely stored.
Often, we have seen passwords to software and important accounts shared between people via post-it notes or even a spreadsheet named “passwords.xls” stored within a shared drive, with not even a primary file password protecting the contents of the file!
When a malicious person breaches a business, one of the first tasks they will perform is searching the network drives for password files.
Using a standard password lock on a file is not enough; as password-protecting, the file can be identified using simple brute forcing tools that will ultimately guess the password, generally in hours.
The use of a centralized password vault that is designed to protect sensitive information, not just passwords but also documents, is a must for any business. There are many benefits to using a password vault, such as:
Sensitive information is normally encrypted with strong encryption ciphers, so the encryption is almost impossible to crack if the vault is stolen.
Access rights can be applied to each piece of sensitive information so only those who need access to that information can access it.
There are no synchronization issues with storing multiple copies of sensitive information in different files and locations. The password vault application will provide centralized management.
Most password vault applications provide auditing features, so every person who accesses a piece of sensitive information is recorded.
Protecting your family’s sensitive information, such as online bank account details, financial information, such as investment portfolio details, social security numbers, and other information that can be used to not only steal your money but also steal your identity, which will be used for fraud.
Before we had computers, this information was stored under lock and key, such as a home safe or a safe deposit box at a bank. However, most of us now store sensitive information on our computers.
The problem is that the computer was not designed to be safe.
If your computer is stolen or accessed by hackers, and you have not taken steps to protect the sensitive data, there is a high chance that the criminal will have full access to that information on the stolen device.
How can you protect sensitive data stored on your computer?
Sensitive information can be protected using a “virtual safe” such as a password manager application.
Password managers are applications that can securely store important information such as passwords, bank account details, social security numbers, or files.
Password management software can be installed on your computer. Still, the downside to this approach is that anytime you or someone else needs to access the information stored in the password management vault, they need access.
For families, this cannot be very pleasant.
An alternative approach is using one of the online password management systems. The key benefit of online password management systems is that more than one person can access the vault at any time and on any device.
Some online offerings provide cool features such as a password generator and automatically filling in the password text box for online accounts. This means you can have strong and unique passwords that you don’t have to type into the password text box to log into a statement; the system will automatically paste the password into the text box!
Another cool feature is that most online password management systems allow for multi-factor authentication. This means you need your username, password, and, in most cases, your mobile phone to receive a unique one-time code. So, if your password gets discovered, the person will still need access to your mobile phone to log into your password vault successfully.
8. Do not use public Wi-Fi or any public networks
Public Wi-Fi hotspots provided by hotels, cafes, and other businesses should be treated as highly insecure. The amount of attack scenarios, free tools to set up rogue Wi-Fi access points and hack Wi-Fi transmissions, and general poor security of Wi-Fi networks is considerable.
If you or your staff need to use public Wi-Fi networks, then a VPN should protect the data flowing between your device and the access point.
If you can, try to avoid using public Wi-Fi hotspots such as those offered by libraries, cafes, airports, and other businesses.
Wi-Fi can be straightforward to hack, which means baddies can see some of your network traffic from your device or even control which websites you visit!
Some websites you visit may not use HTTPS or other encryption methods to protect the data flowing between your device and the mobile app or website. The unprotected traffic could include your account passwords or additional sensitive information!
If you need public or free Wi-Fi, use VPN software so all your data is protected regardless of which websites you visit.
IT Security Basics: My Website Was Hacked! What Do I Do Now?