MODERN BUSINESS AND CYBER SECURITY
13 / April / 20 Visitors: 101 ★★★★★
What is phishing and why should your employees know about it? This is the sending of fraudulent emails by e-mail, through instant messengers or social networks, aimed at "extracting" confidential information, usually a username and password. Often such letters are disguised as messages from government organizations, banks or courts. Another marker of a phishing message can be marked “urgent”, “must be considered” in the subject line. It is necessary to teach employees not to open suspicious messages and even less to follow links in them. And, of course, all suspicious mail must be reported to security specialists or company management.
For example, an accountant receives a letter “a loan is issued in your name — enter passport details to find out details”. As soon as this is done, the authorization data will fall into the hands of fraudsters.
Safe installation of programs
It can only be safe to install a program that the system administrator makes. Its task is to ensure optimal operation of the system. An inexperienced user may accidentally install a malicious program instead of a useful one. It is worth telling employees about the dangers of self-downloading and installing programs from sources found on the Internet. This is especially true for hacked versions of licensed programs. Often such software besides useful functionality is fraught with ransomware viruses, Trojan and other troubles.
An independent installation of the program can end, at best, with an endless display of ads in the browser, and in the worst case, installation of malware instead of the desired software.
What if the company does not have a system administrator?
Install only licensed programs from the official sites of the developer. Do not take the risk of downloading the hacked version of the software, because in addition to the security key, hackers can integrate anything into it. If you do not want to pay, it is better to look for a free analogue of an expensive program.
Mandatory software update
There is an ongoing race between hackers and developers: some are releasing a product — others are looking for vulnerabilities in it to be used for criminal purposes. Developers also do not sleep and patch security flaws, after which they release updates to prevent zero-day vulnerabilities (the case when hackers found the vulnerability first and the attack occurred before the gap was closed). In fact, on the computers of most users there are programs with vulnerabilities.
This is why the system administrator must configure automatic updates of popular programs, so employees will use the latest versions in which developers have already fixed the vulnerabilities.
For example, in early 2018, the vulnerability in Adobe Flash Player was actively used by APT37 hackers against users from South Korea. After reports of attacks, Adobe released an update a few days later. However, many users did not update the program and became victims of intruders.
Using antivirus software
Antivirus protects our computer, but sometimes it can slow down or block the installation of software updates. Most of them take it for granted, but some employees turn off the antivirus for a while, and put their working computers at great risk. It is necessary to convey to employees the importance of constant monitoring of computers with antivirus programs — this will significantly increase the company's resistance to cyberattacks.
Antivirus is always needed. Even if the computer is not used to work on the Internet and does not store valuable information. It is enough to transfer information from an infected external medium once and dangerous viruses will enter the system.
How to teach?
Trainings New employees should definitely be trained in company safety standards. Once a year, it will not be amiss to hold a basic seminar on cybersecurity for all employees. In addition, the leader should pay attention to the daily activities of employees, sometimes just by watching you can see how security policies are violated.
For example, employees are used to taking office documents at a local café for reading at lunch, or the personnel department posts lists of employees with telephones in common with other companies in the corridor.
Knowledge check. This is not about passing an exam, but about verifying the actions of employees by imitating a real threat. Regular training will help employees properly respond to a real threat.
For example, security officers may send phishing emails to employees. And with those who fall for the bait, do extra work.
Bonus: Confidential Data Training
In any company there is information that requires special protection — confidential data. Employees must understand what data is of particular value (of the data that they work with), be aware that attacks on such information are targeted, and remember that disclosure is punishable. Make the status of such information legally correct and notify employees about it under signature. This will help to increase the level of responsibility when working with valuable data.
For example, through social networks, strangers can knock on employees who, in the process of communication, try to trick confidential information by tricking or persuading (social engineering).
Trust and Verify
What else needs to be done to protect data? Of course, to be limited only to communication with employees is, at least, presumptuous. It is worth using special programs to prevent information leaks — DLP-systems. They will allow you to see in real time if someone is trying to steal sensitive data or violates security policies. In addition, they will generally strengthen the company's security perimeter.ф