How Much of an IT Security Risk Are You to Your Company?
The best security is only as strong as its worst password and naivest user. Markus Schaffrin from the eco Association explains how important the behavior of staff and management is for company security.
Most management and senior management understand the need for IT security, but not much beyond that. But senior management plays a decisive role in the success of any IT security strategy your systems administrator develops. This is because the way individual members of staff – from the student assistant through to the CEO – behave online is central to ensuring improved cyber security.
Don’t be the weak link in your company security
Poor security knowledge and naive behavior by company staff at all levels can result in the risks of identity theft and monetary theft, and these two attack vectors can also result in legal ramifications (for yourself and your organization) and even sanctions from business partners, if policies are not followed or security standards are violated.
How can management support improved IT security?
The computer capabilities and security awareness of staff in your company can vary hugely, from the geek to the technologically illiterate.
As a result, it is necessary to make sure that basic knowledge and best practices are communicated to all in the form of a) a security policy document and b) awareness training. Further preventative measures can also be taken to provide added security. Your systems administrator needs your support to make these tasks a success.
- Security policy
Your company needs a clear and understandable security policy for staff to follow. This should include the obligation to use the good practices mentioned below, and guidelines for how to deal with incidents or suspicious circumstances.
- Train your staff
Training courses (link to SoSafe interview) strengthen the understanding of the importance of the security of data and IT infrastructures. The success of the security awareness training can be verified, for example, by monitoring the number of security-relevant incidents in the company over a certain period of time.
- Investing in secure systems and processes
Not all responsibility lies at the feet of non-specialist staff. There are also a range of important preventative measures that your systems administrator should implement, described briefly below. Many of these mitigate the risk of human error by reducing the opportunity for staff to make security mistakes.
Social engineering: How poor security awareness plays into the hands of cyber criminals
But firstly, what’s the big problem? In a word, social engineering. Social engineering manipulates people to perform actions or reveal confidential information. A good example is spear phishing, where criminals try to find out as much as possible about their target in order to be able to make special “tailor-made” attacks.
For example, they send emails with fake invoices to the accounts department or imitate the managing director who urgently wants to have a bank transfer made (while he or she is out of the office, of course). Looks can be deceptive: These mails imitate legitimate mails, sometimes extremely effectively – the cyber criminals gain as much information as possible about the company and the employee beforehand, so that they can use the corporate design and make use of personal salutations. This is especially simplified if the organizational structure is publicly visible on your company website.
Certain departments (finance, HR) are particularly vulnerable to such attacks, and their staff need to be especially sensitized to the risks. But of course, they’re not the only ones. Training in awareness and secure behavior is important for everyone.
Security policy and training: What is good practice for staff security behavior?
A basic set of “must haves” that should be reflected in training sessions and the staff IT security policy (and in your own behavior) include:
Secure passwords, and a different one for each account. Enforcing use of a password manager helps enormously with this, and means that staff are less tempted to write all their passwords down on sticky notes and leave them available for all to see.
- Screen lock
And when it comes to “for all to see”, everyone in the company needs to understand that the physical company premises also has an impact on IT security. An automatic screen lock to protect computers when staff are away from their workspaces is a sensible and enforceable option.
Your policy should prohibit the downloading of software unless it comes from trusted websites or from the official stores (like Google store / Apple App Store, etc.). Of course, exceptions to this policy can be enabled on approval from the systems administrator.
- Do not use strange USB devices
These have no place in company IT. They may contain not only computer viruses, but also malware to spy on the company IT. USB sticks found in the parking lot belong in the bin, not in a company or private PC. Lost USB sticks have a high probability of being infected with malware.
This is one of the most important behavioral issues for IT security, and here we come back to the risk of social engineering. Staff need to learn to be highly skeptical of any emails that are unexpected, and should not open email attachments unless they are absolutely sure of their validity. This, of course, can be difficult for a HR department that receives applications from private individuals, or an accounts department dealing with external invoices. In this case, there are several options for opening attachments safely:
- CIRCL Luxembourg offers a service which allows the analysis of potential malicious software or suspicious documents in a secure and virtualized environment.
- There are also companies that are specialized in secure mail environments, in which staff do not have to worry about encryption standards or malicious attachments.
- For vulnerable departments, the email application can be set up to run in a sandbox or in a virtual machine. If a malicious attachment is opened, it won’t be able to infect the machine, but just the VM or sandbox.
What else can be done to mitigate human behavior as an IT security risk?
But it’s true of every company: For all the training, some people will insist on clicking links, downloading unauthorized programs, and so on. So let’s have a quick look at some of the best practices that could be implemented to further protect your systems from unwanted and unauthorized access. These can form part of an overall security policy, and define the responsibilities of the systems administrator.
- Access rights management
Only allow access levels that are absolutely required for each staff member. Use least-privilege access policies that state access will only be granted if required, not by default. And don’t forget to ensure accounts are removed and passwords changed when someone changes jobs or their contract is terminated.
- Tracking system changes
- Securing workstations
Ensure up-to-date virus scanning software is running on all devices, ensure the latest updates of all applications are installed, and apply software patches as soon as they are published.
- Creation and communication of further IT guidelines
For example, defining of document and system disposal processes – some criminals could search your garbage bins. Also define backup procedures, and test if the backup works.
- Implementing DKIM, SPF, & DMARC
This will increase the security and authenticity of emails going into and out of your company. If you don’t have an internal mail server, this may be handled externally by your email service provider. More information is available from the Certified Senders Alliance (CSA).
And another thing – how safe is working remotely and Bring Your Own Device?
To make sure that staff are using secure devices, the best option is to give each staff member company devices. However, when staff are using their own devices, and when they are working from home or on the road, there are several options for increasing security:
- A VPN can be implemented for all enterprise devices. With a virtual private network, you can secure your computer’s Internet connection to guarantee that all of the data being sent and received is encrypted. When you are using a VPN in your company, you can be sure that the data will not be routed on public servers, but rather will take a direct connection from your device to your company’s servers.
- Remote Access allows the company administrators to upload, manage, and distribute applications to the mobile devices connected to the domain. Administrators can create application repositories in the organization to achieve unified management of mobile applications on the mobile device pool.
- Defining rules allows the unification of employee compliance with applications by applying a black-and-white policy for permitted applications on mobile devices.
- Enterprise Mode on mobile devices: Separate compartments on devices can protect your company’s data security. The mobile phone system is divided into two parts: the enterprise security domain and the private domain. The enterprise security domain supports only corporate functions – photos and data are stored independently – and processes are isolated from each other so that your business is secure and efficient.
- Use encryption: By encrypting your device and your data, you can vastly improve the security of mobile application data. Data encryption can be performed at the application layer, and offline application data is encrypted and stored in a secure container on the device. This means that even if the device is stolen, you don't have to worry about leaks.
So, don’t be the weak link in IT security, and support your IT specialists to be able to do their job effectively. It will pay off.
As Head of Member Services at eco, the largest association of the Internet industry in Europe, Markus Schaffrin is responsible for the care of over 1,100 member companies from 70 different countries. The computer scientist has been a part of the IT world since the very beginnings of the Internet, and has more than 20 years’ experience in computer science and project management.
He has worked for the eco Association for more than 15 years, and together with his team he oversees the specialist work of the ten Competence Groups, and the organization of around 100 events per year. Schaffrin is also Head of the eco Cyber Security Services, and as an expert in IT security, is a regular guest on radio and television, as well as at many congresses and conferences.