Regardless of the efforts companies make to shore up and secure their IT systems, there’s always a serious threat that remains. That threat is that any one of the system users could make a mistake that results in a cyber-attack or data breach.
Countless studies show that human error (or merely lack of knowledge) is often a contributing factor when a breach occurs. Hackers are well aware of this, which is why many of them specifically target what they see as a key weakness in IT security – the staff using the systems.
Since it’s impossible to put technical measures in place that mitigate against every possible human action, constant user education is the only real solution to this problem. So, with that in mind, here are five things that all staff using company systems should know about cybersecurity:
All IT people know that some users tend to ignore things that pop up on their computer screens. This can include prompts to perform a scheduled backup, requests to install updates, and error messages that may require attention.
All too often, a day or two of clicking these messages to get the out of the way becomes a week or two – and then it becomes a habit. However, these things should never be ignored.
The global ransomware attack in June 2017 (that we also discuss later), could have been considerably less serious had people kept their Windows computers up to date, as a patch to protect people from the vulnerability was already available. This means, in no uncertain terms, that the severity of this headline-grabbing attack could have been greatly reduced had numerous people not postponed installing routine updates.
Most people expect to be permanently connected to the internet these days unless they’re on a plane. And with more and more airlines offering WiFi, that will soon cease to be an exception too!
This culture of taking Wi-Fi for granted means that many people will connect to the nearest hotspot to get online, without considering the very real risks associated with this practice.
It’s very easy for a hacker to set up a fake hotspot and trick people into connecting to it. Furthermore, hackers can sit on legitimate networks in coffee shops and hotels and very easily perform “man in the middle” attacks. In both cases, everything passing over that connection (including passwords and personal details) is child’s play to intercept.
It’s essential that non-technical computer users understand this and start to get selective about where they connect to the Internet. To reduce the dangers, routinely using a good quality VPN service will encrypt data and vastly reduce the risk of problems.
The high-profile ransomware attack we referred to above caused serious damage to the UK’s National Health Service and all kinds of other global organisations. It also affected plenty of small businesses and individual users.
It’s important that people understand what ransomware is, and the damage it can do to a business. Why? Because it’s a global trend in IT security, with incidents rising by 6000% last year.
The key thing to teach users about ransomware is that the best line of defense is a good backup. The people who end up having to pay the hackers are those who can’t get their data back from anywhere else. This is just one of the reasons why everyone needs to take backups seriously.
Nobody particularly likes having to remember vastly complicated passwords, and some users object so much that they stubbornly insist on using login details that cyber-criminals could easily hack.
A study in January 2017 showed that passwords like “123456” and “qwerty” were still the most popular in use – so many people either ignore conventional wisdom or believe the dangers are overstated. It’s therefore very important to continually emphasize the importance of taking the advice seriously. Wherever possible, IT departments can put technical processes in place to enforce the use of complex passwords, but sometimes this will remain a user-education issue – and an incredibly important one.
One common way to separate users from their login details – and in turn go on to hack target systems – is to use phishing emails that look like they’ve come from genuine sources, such as banks or social networks.
Some of these phishing emails are very convincing, and there are so many of them that even the most well-organised IT department will occasionally find that some work the way through the spam filters. Once again, therefore, education is very important, so that users are permanently suspicious of incoming emails. There are that many scam emails around it’s not difficult to find examples to show.
But phishing doesn’t only happen online. Phone calls from people pretending to be from the “IT department” or even from Microsoft are increasingly common. They’re intended to convince people to give up their passwords, or even permit remote access to their computers.
The only way to prepare users for these things is to make them aware of what can and does happen – and what the implications could be if a hacker does gain system access. The rewards are simply too great to expect the cyber-criminals to ever stop doing what they’re doing.
About the author: Ben Taylor has been a techie since the 80s and has spent all of his career in the industry. He currently runs a UK-based IT consultancy, writes for a range of publications, and helps aspiring freelancers with his latest project, www.homeworkingclub.com