Keeping your company safe from a cyberattack isn't as simple as implementing endpoint protection software. You'll want to train each and every employee to know what to look for before, during, and after work each day. Things such as phishing, physical theft, and spam can dramatically harm your business.
Continue Reading Below
I spoke with Michael Kaiser, Executive Director of the National Cyber Security Alliance, about the many ways in which companies should be providing workers with information and tools to stay alert about potential cyberattacks. Once you've trained your team, it's up to you or your IT department to provide the software from companies such as Bitdefender, Kaspersky Lab, and Symantec that help to maintain network and device security.
1. Offer Phishing and Spam Training
Business Email Compromise (BEC) attacks target companies with scam messages that extract information from unknowing recipients. An excellent example of a BEC attack is a fraudulent email sent from someone pretending to be the company's CEO to the company's human resources (HR) department. Without realizing that he or she is being scammed, an HR manager willingly sends personal employee data to a scammer.
You can train your employees to look for these emails or any other kind of spam attack so they can alert IT if they receive something that looks suspicious. You can also purchase phishing simulator training tools that attempt to trick your employees into clicking on the wrong kinds of email. Those employees who click on attack simulation emails will obviously need additional training and education.
2. Create an Acceptable Use Policy
Your employees shouldn't necessarily have free reign over how they use company devices while at work. For example, teach them to which websites they're allowed to go. Teach them which files they're allowed to download. Let them know which wireless networks are company-issued and safe for use.
Continue Reading Below
Once you've got a policy in place, it's important to periodically re-establish the policy with your team. If you don't consistently emphasize the acceptable protocol, then your employees might forget it or they might become complacent.
3. Provide Strong Password Training
"The new wisdom is not to change passwords too frequently because every time they're changed, the new passwords get weaker and weaker," said Kaiser. So speak to your IT department to come up with a reasonable password change frequency (it will vary from company to company) and begin using that frequency immediately.
Furthermore, you'll want to train your employees to create strong passwords. Anything that contains more than 7 characters, an upper-case letter, a number, and a symbol should be strong enough to prevent casual attacks. However, you'll want to advise your employees against simply changing one of those characters when they're prompted to create a new password; instead, they should start from scratch with a new sequence of letters, numbers, and symbols.
4. Teach Employees to Report Problems
Even if your employee clicked on or downloaded something that he or she shouldn't have, it's important that all threats be reported. If you make your employees feel safe about reporting infractions so as to reverse damage or prevent intrusion, then your team will be much more likely to come forward.
"You've got to build a non-blaming atmosphere where people can bring issues forward, even if they made a mistake," said Kaiser. "It's more important for the business to know that there's a potential issue than it is [to punish employees for an infraction]."
5. Use Proper Device Management
Mobile Device Management (MDM) software will help you in the event that software needs to be manually updated, an employee has gone rogue, or if you need to remotely wipe a lost or stolen device. But, if your company is too small or too technologically unskilled to maintain an entire fleet of devices, then you'll want to train your employees to take proper care of their devices both physically and digitally.
Make sure your employees know that they need to update all software when new updates become available. These updates typically contain security vulnerability fixes. Without the update, the vulnerability will continue to exist, thus giving hackers access to the device and possibly your entire network.
"Make sure they're always aware of the physical security of devices," said Kaiser. "Make sure they're not leaving the device unattended and that the device is properly stored when in a vehicle so it's not visible." Kaiser also said it's important to train your employees to understand the physical limitations of your devices. Are they waterproof? Are they dust-proof? What are the safe high and low temperature thresholds for the device?
Additionally, make it a requirement that every device that houses company data be passcoded or opened via biometric reading. This is a simple rule that everyone should follow, even with personal devices, but it's worth reiterating for your more naïve or stubborn employees.
6. Give Remote Access and Wi-Fi Training
If you're concerned about security (which you absolutely should be), then set up a Virtual Private Network (VPN) immediately. If any employee is working remotely, then he or she should be using that VPN at all times for all activities.
You should also institute policies and procedures about how employees use Wi-Fi when they're away from the office. The Wi-Fi networks they access should be password-protected and feature strong security settings. When your employees are on smartphones and tablets, they should always opt to use the device's cellular data plan rather than an unknown Wi-Fi network.