The Ontario Provincial Police sent out a warning that scam emails can expose Internet users to phishing and ransommware threats and while such warnings from authorities help, awareness and training could go a long way in protecting users from such scams.
Every few days we come across major news stories about major hacks wherein details of hundreds of thousands of users are stolen and investigation has revealed that while sophisticated hacks are a part of the hack, a majority of security breaches start off from an employee clicking on the wrong email. This brings us to the burning issue of how can businesses protect their data as well as their customers’ data? The first and foremost thing is training and almost all security experts will agree to this statement.
One of the major problems is that average businesses and enterprises does not train their general staff in IT security matters and this is more or less as it should be. Training should be restricted to familiarisation with job-relevant security procedures, of which the fewer there are, the fewer there are to get wrong. IT staff on the other hand really should be more security-aware.
Investigations have revealed that starting points of attacks are not advanced hacks, but few basic tricks including social engineering, phishing and scam emails among others. Generally speaking, an attacker will aim for the ‘low-hanging fruit’ first and will look to spear-phish the director’s secretary, not the director himself – at least not initially. IT Security teams on enterprises need to ensure that the gains are similarly low and that “privilege escalation” attacks are hard.
Identify who needs to be educated and then think long and hard about what you want to teach. For example, training people to change their passwords often is pretty useless, while showing them how spear phishing works might be useful. Keep in mind that normally there is a tension between security and convenience and a harried middle manager will always choose convenience, unless training has convinced him or her that it is necessary to make such decisions in a conscious manner and that taking on security risks is not “free”.
Another important bit for enterprises is to ensure that their administrative security procedures are robust and critical infrastructure and routers are protected from attacks, virus threats and technology should be the element that makes the difference.
Home routers and networks are actually beyond most people’s IT administration skills, and as such the need to secure them doesn’t even register. This is why passwords are often not secure enough.
In order to achieve true protection, security and maintenance should be simplified and automated as much as humanly possible. Things should just work securely out of the box, because most people don’t have the time, inclination or indeed motivation to become network security professionals.
Online threats to small and medium businesses have never been so prevalent, or so complex. To counter the rising dangers of hacking, espionage, sabotage, phishing, viruses and data theft, we’d recommend businesses identify who needs to be educated, and then give them the correct tools to prevent real attacks by demonstrating what a cyber attack may actually look like, rather than just telling them to change their passwords often.