8 Measures to Make Your Staff Your Greatest Security Asset

Technical advances are making it more difficult than ever for hackers to breach an organisation’s environment. Many organisations are investing record amounts in technologies that reduce their attack surfaces, harden their systems, and boost their network monitoring capabilities. 


In many respects, increasingly sophisticated tools are succeeding at making it more difficult than ever for cyber-criminals to execute a successful breach. 
However, hackers are always adaptive. They are constantly on the hunt for any perceived vulnerability that leaves a target organisation exposed to an attack. 

Whilst technologies are successfully enhancing cyber resilience, the one area that remains a weak-point for many organisations is human error. All it takes is one staff member to accidentally click on a dangerous link, or open a malicious attachment, and the pathway for an attacker could be wide open.
In this blog we will explore eight of the most important cyber-security measures staff in every organisation should be following to mitigate the risks of a cyber-attack. Ensuring your staff follow these eight measures will help turn them from a security liability into your greatest security asset.

Email is a critical business communication tool. For most organisations, the idea of functioning without email is inconceivable. But, whilst email offers enormous efficiency benefits, it is also actively used by cyber-criminals to breach an organisation’s network.

Hackers regularly target victims by sending malicious links or attachments via email. Known as phishing, the goal is to get an unsuspecting staff member to install malicious software, or malware. This can allow an attacker to gain access to the network, steal confidential data, or launch a ransomware attack, in which access to business-critical systems is blocked pending payment of a ransom. 

Phishing is an increasingly common threat to Australian organisations, with over 44,000 reported attacks in 2020, an increase of 75% over the previous year according to Scamwatch. As no organisation is immune to email-based attacks, all staff should be receiving ongoing email awareness training to enable them to identify the tell-tale signs of a suspicious email. 

Most organisations have dozens of applications within their environment. Think of everything from your computer’s operating system to essential business tools, such as word processing, spreadsheets, web browsers, email clients, ERP and CRM platforms.

Without all these systems, it’s hard to imagine how an organisation would be able to function. Yet, all too often, vulnerabilities in these applications are exploited by hackers to gain entry to a target organisation’s environment. 

That’s why every time a software vendor identifies a bug in their code, they release an update. Running the update, or patch, ensures the bug is fixed and cannot be exploited by malicious actors. In many cases, organisations neglect to regularly patch all the software running in their environment. Hackers actively hunt for organisations that have fallen behind in patching and deliberately target them.

It is critical that staff in every organisation understand the importance of updated software applications. They should receive training, so they never switch off auto-updates for any software running on their computer and are aware of the importance of regularly checking for application updates that they need to actively run.

Rightly or wrongly, many systems require nothing more than a simple username and password to authenticate an individual who is trying to login to the system. Given that the username is often the person’s email address, that leaves the password as the only line of defence between a hacker and systems that may contain valuable confidential data. So, adhering to effective password practices is critically important.

All staff should receive extensive training in secure password practices. This should include the importance of selecting a passphrase that will be difficult for a cyber-criminal to crack, whilst still being easy for the legitimate user to remember. Staff should also understand the importance of having different passwords for different systems. This ensures that if an attacker manages to obtain one password used by a staff member, they won’t be able to access a range of different systems, as each will have a different password.

Given the many risks associated with vulnerable applications, an organisation’s IT department needs to maintain complete visibility over all the software that exists within its environment. Only with a high degree of visibility can they be certain that all the applications are secure and updates are regularly run.

However, all too often staff install software without considering security implications. Software that exists in an organisation’s environment without the knowledge or approval of the IT department is known as Shadow IT.

Increasingly, many organisations have policies in place to prevent Shadow IT. Staff are required to obtain authorisation from the IT department prior to running any applications. Ensure your organisation also has clear policies in place to put a stop to Shadow IT. Implement measures to educate staff about the risks of downloading and running unauthorised applications. Like all effective policies, make sure you have monitoring and enforcement mechanisms in place so your IT team can always maintain an up-to-date inventory of all the software being used by all staff in the organisation.

We previously discussed the risks associated with poor password practices. One of the most important ways to prevent unauthorised access of your systems is through the implementation of Multi-Factor Authentication, or MFA.

MFA verifies that an individual is authorised to access a particular system by requiring them to authenticate using at least three measures:

• Something they know – such as a password;
• Something they have – such as a one-time passcode sent to their mobile device;
• Something they are – such as biometric identification, e.g., an iris or fingerprint scan.

 
By requiring all three measures to authenticate an individual, the organisation’s security becomes less reliant on passwords alone. Even if a cyber-criminal has managed to compromise a password, MFA ensures they won’t gain unauthorised access to confidential systems or data. It is critical to make sure all staff have MFA activated across all their devices and applications.

As staff increasingly work remotely, it is essential that they understand the risks associated with public Wi-Fi networks. Many staff may be unaware that public internet connections, such as those often found in cafes or other public venues, often don’t provide the same levels of protection that would be found in either enterprise or residential Wi-Fi. This is particularly the case if these connections do not require a password for access.

Such public internet connections may not encrypt network communications. This may leave your organisation exposed to a range of attacks, such as man-in-the-middle breaches. This can result in a cyber-criminal eavesdropping on confidential communications and accessing private data, such as usernames and passwords. Clear rules and guidance need to be in place about the use of public Wi-Fi. Staff should not be authorised to connect any device used for work purposes to such networks.

Another challenge with remote staff is the security of devices used for work. Ideally, staff should be provided a work device by the organisation. This will provide your IT department with a high degree of control over the device, allowing them to ensure it is configured correctly, and is always fully patched and updated. It also makes monitoring network traffic easier, so any suspicious activity can be quickly flagged and investigated. 

However, in many cases, organisations cannot provide dedicated devices, resulting in staff using personal devices for work, a practice known as bring-your-own-device, or BYOD. There are many risks associated with BYOD, such as incorrect configurations, corporate data may be accessed by others including staff family members, or insecure applications may be installed on the device. 

It is essential that your IT team puts into place measures that limit the risks posed by the use of personal devices. For example, they may install Mobile Device Management (MDM) technology. This can help separate work data from personal staff information and files, whilst providing your IT team remote visibility and control over corporate data on the device. 

Another option is the use of cloud-based end-point protection tools that allow your IT team to manage the security and privacy controls on all the devices used by staff for work, including personal devices.You should also have Full Disk Encryption implemented that protects the entire hard drive of the device, including all files, data, software and operating systems.

E
Ensure you have training and guidance for staff that clearly state they are responsible for ensuring their devices are always patched and updated. Staff should also receive training in the importance of the physical security of their devices, which should never be left unattended in a public location, and the screen should always be locked whenever not in use.

With staff needing to access your corporate network whilst working remotely, you are effectively expanding the network perimeter, opening it up to a range of possible risks.

All staff should be required to access the corporate network using a VPN (Virtual Private Network).This will limit the ability of cyber-criminals to access the corporate data that exists on your servers, devices and applications. Your IT department must also ensure the VPN itself is secure by verifying the identity of VPN tunnel end-points, as using the wrong authentication method could allow an attacker to compromise your corporate network.

Staff need training in how to use VPNs and to always verify that the VPN is active whenever they are using a work device.

At Threat Intelligence we offer integrated governance, risk and compliance solutions to enable your organisation to meet its strategic cyber-security needs.
We assist you in developing, implementing and managing appropriate corporate governance frameworks through the development of fully-customised security roadmaps. These can include internal policies and staff training to help ensure your personnel become your greatest security asset.

We also undertake strategic reviews of the key threats and risks your organisation faces, enabling you to plan your security activities and budgets over the coming years to mitigate risk and prevent security breaches.

Contact Threat Intelligence today to learn more about the many ways we can help your organisation achieve its cyber-security objectives.