Building an IT Security Culture Within Your Organization
Cybercrime has quadrupled as we prepare to enter the third quarter of 2020. This is reason enough for everyone in your organization to buy into enhanced managed IT security. But for that to happen there needs to be a shift in your corporate culture. Every individual on your team must adopt new security practices to the point that they become habitual. The following measures are key to a successful transformation.
MFA is a login security check feature that requires more than one method of authentication from independent categories of credentials to verify user identity. When used effectively, Microsoft reports that MFA will block over 99.9% of attacks by hackers. To assist with adoption SIRKit has provided a detailed guide to enabling MFA across your organization.
This is a simple yet often overlooked IT threat prevention measure. Ensure your staff gets into the habit of locking their computer screens when they get up and walk away, no matter how short an absence may be. This does not mean adjusting settings to automatically lock idle screens within a certain time frame. It needs to be done manually as soon as a user is ready to pause their work. Even if you have full confidence that there is no risk of internal sabotage, IT threats are ever-present due to the increased integration of IoT in the workplace. For example, Smart security cameras can be hacked and used to physically spy on operations, which includes a sneak peek at whatever may be displayed on an unattended computer screen.
Let staff know that it’s OK to ask IT personnel and/or management about anything they find odd when it comes to IT based concerns. This includes suspicious emails and SMS messages, on-screen pop-ups and alerts, and all sorts of perceived digital malfunctions. Let it be known that there is no such thing as a “stupid question” in the IT environment. Instead, they should get positive recognition for bringing concerns to the forefront. This is critical to fostering the idea that security is part of your organization's culture. In addition, encourage staff to ask IT personnel about how they evaluated a perceived risk so that they too can learn how to address a threat. This will better equip them in the future.
This step has become more important than ever in 2020. When working remotely, staff (management included) may be tempted to forward their workload to personal emails or save it on personal USB keys. When this occurs, data leaves the secure workplace environment and heads out into the world where IT risk is elevated. Organizations that allow bring-your-own-device (BYOD) are also at risk, as once again data and applications transition to less secure systems. While employing MFA on BYOD devices helps, it’s best to establish a clear protocol - keep company data on company systems. For this reason cloud adoption is critical as it allows for remote yet secure team productivity. In addition, it’s a good idea to use BitLocker Drive Encryption. This Microsoft data protection feature integrates with your Windows 10 operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. View more on BitLocker Drive Encryption.
In the IT environment keep it simple - limit admin access to those who need it most. Team members should be provided the access they need to perform a required job, no more and no less. This mitigates the IT risk that comes from having too many logins and security keys allowing access to sensitive data and systems. Even owners and C-level executives (high-ranking or senior executives) don’t necessarily require full access to everything. While an IT professional can establish an easy-to-follow policy for your organization, but it ultimately needs buy-in from all stakeholders.
One of the most successful forms of phishing (aka spear phishing) is one where a cybercriminal impersonates upper level executives. Hackers know that subordinates are less likely to vet the validity of a supposedly urgent email coming from a superior, and will instead perform the requested action without following security protocol. This action may be a transfer of funds or handover of digital documents and login information. Look no further than the recent attack on the City of Ottawa Spear where spear phishing was applied to request for a fraudulent fund transfer that cost the City approximately $130,000 CAD.
To prevent CEO fraud and other forms of executive email impersonations top-to-bottom training for all staff and stakeholders is required. They must learn how to identify phishing threats by verifying sender emails (look for domain mimicking) and notifying management about incoming requests to transfer funds and sensitive information. Better yet, establish a rule that no such email/SMS request will be made unless it is accompanied by another form (or factor, so to speak) of communication, be it verbal or otherwise. Manual efforts aside, your organization must tighten email security and if using Office 365 strengthen security with MS Secure Score. In addition, consider cloud to cloud back up to ensure that your data and productivity is protected should spear phishing attacks prove successful.