Staying Safe at Work
August 01, 2014
It’s common practice to lock the doors at home each night; in fact most people do it without even thinking about it. But what about at work; do you “lock” the doors each day? If you and your workforce are using simple passwords, blindly clicking on pop-ups or suspicious links, or are lacking proper network protections, then your doors are not as secure as you may think.
Any one of your employees could become the gateway to the next big security breach. It’s important for your workers to understand how to keep their data and computers as secure as possible to avoid breaches, but it’s also important for you to put the proper defenses in place to protect your users. Computer criminals rely on the fact that the “average” user is not trained in security. These attackers exploit the fact that many of us rely so heavily on computers that we know so little about. Not everyone can be aware of the latest and most dangerous cyber threats, but they can be aware of how to best protect themselves and their organization.
To help educate your workforce, your organization should communicate these simple guidelines to employees:
Respect the work computer: In an ideal world, most employees would not use their company-issued computer for personal use. Unfortunately, it’s highly unlikely that your workers won’t browse to at least a few websites a day for non-work use. Teach your employees that because their computer is connected to an enterprise network, attackers can use it as a gateway into the corporate server, accessing databases with customer records, financial data or other proprietary information. It’s important for users to be aware of any suspicious activity, such as an out of the ordinary pop-up requesting the user to “click here” or “allow” some action to happen. Clicking on these messages could allow an attacker to install malware on the user’s computer.
Log out of websites: When you login to a website, say online banking or social media, a “session token” is generated and applied to your web browser after you authenticate. If the site isn’t following best practices, then the token will not expire until you click “log out”. Here’s a possible attack scenario: let’s say you log into a social media website in the morning before you start work and then forget to log out, leaving the browser window minimized. Later that day you click on a hyperlink from an email phishing message and agree to a pop-up which installs malware on your laptop. An attacker would then have remote access to your laptop and can extract the session-token from your browser and impersonate you on social media without even knowing your password. They can then send the same phishing email to all of your contacts, infecting them as well. Now apply this exact same scenario to any other website that has financial information or healthcare information, and you can see how this could be catastrophic. If you must login to sites, be sure to log out when you’re finished.
Be aware of secure sites: Sites that users are familiar with and visit all the time, such as Facebook.com, will have a padlock icon and “https” distinction in the URL toolbar. When a URL begins with “https” the site is secure and will include a padlock image in the top left corner. If you visit that site and don’t see the padlock, it’s possible you are being redirected to a “spoofed” website designed to look like a known, trusted site. Once the spoofed site is visited, your machine is susceptible to a number of attack vectors including malware infection.
Don’t blindly click: Educate your workers about the importance of fully reading pop-up messages asking you to “allow” some kind of action. These messages typically only show up when a user (knowingly or unknowingly) is trying to access unauthorized content that could be potentially malicious.
Be aware of applications: Users should be aware of the third-party applications they download, such as new toolbars for their browsers or add-ons. Once these are downloaded, if you see a pop-up message that says you can’t run this application securely don’t “click here” to run it anyway!
Mind the WiFi: Users should monitor the behavior of their wireless device. If your phone is configured to connect to any available WiFi, you and your corporate data could be at risk when standing in line at Starbucks or any other public place. Once you connect to a wireless network, you are fair game to anyone else on that same network.
Do your part to protect your workers: In addition to user education, organizations should employ technical controls that limit the access users have on their workstations. For example, a common hardening guideline is to remove “Local Administrator” access from users unless they have an explicit need for it, such as IT staff that needs to install and configure software. Doing this can help prevent certain types of malware from infecting a machine even if a user does click “allow” on the pop-up.
It’s important to be constantly vigilant about educating your employees; it’s not enough to remind them to change their password every few months. Invest in security training for all workers, and follow up on the training to make sure everyone understood the key takeaways. Besides user education, it’s important to consider employing technical controls, policies and procedures. No matter how much training you provide, people will always click links in emails or give out information over the phone if the person sounds convincing enough. Corporate security is primarily the responsibility of IT. If the proper protections are in place across your network, your employees can feel confident that their computers won’t “let” them do anything they’re not supposed to.