Information Security begins at home. Yes, I mean that literally. It’s been my user training mantra for years and I can assure you it’s highly effective.
Developing good InfoSec awareness should be like learning manners: start at home and practice until it becomes second nature. If businesses give employees worthwhile cybersecurity tips that they can use at home, they will gradually include them in their daily digital lives. The benefit transfers directly back to the workplace.
When I started my first IT leadership role with the Federal Bureau of Prisons, we had multiple intrusion and malware prevention solutions in place. But these were only as good as our end users’ awareness of threats and vulnerabilities. I began using our annual refresher training to teach home-based InfoSec skills. By the time I left we probably had the lowest incidence of vulnerabilities and intrusions in the entire bureau.
What skills are most important for users to learn? The three most basic and essential home practices for everyone will come as no surprise:
- Use antivirus software on all your devices—including your smartphone—and always keep it up-to-date. This is important for Mac users, too. I recommend Lookout for both Android devices and iPhones. (Notwithstanding enterprise endpoint protection, there currently are no antivirus apps per se available for the iPhone. But Lookout at least has a “process monitor” to check running apps for malicious activity.)
- Turn on automatic patching to keep your software and apps up-to-date. That way you can benefit from the information security efforts of software vendors. Many if not most attacks target vulnerabilities in outdated software versions and thus can be thwarted simply by patching.
- “Think before you click” on links and attachments! Developing common sense can take time, but once it’s established it’s a game-changer.
If everyone just did these three things faithfully, the whole “chain of trust” would be much stronger. Beyond that, there are two other key areas to focus on:
- Using good password practices
- Being vigilant about your personally identifiable information (PII)
Passwords are inevitably a pain. They need to be long, non-guessable, never reused and never shared. Using password management software that generates and tracks strong passwords for all your websites is ideal; that way you only need to remember the one password or passphrase that unlocks the software. But it better be a good one!
Recently my wife mentioned to me that HR staff where she works had asked for her username and password so they could enter data on her behalf. She said she didn’t see the harm in giving it to them. I said, “The thing is, you never share your password.” What difference would it make? You don’t actually know. So just don’t do it.
Regarding one’s PII, it pays to be equally skeptical and cautious. Remember that “what goes on the web, stays on the web”… forever. We give hackers so much potentially useful data that way: where we work, who our relatives are, our birth date and birthplace… Ask yourself how many of those “security questions” protecting your assets, from your first car to your high school mascot, could be answered by looking at your Facebook page. Keep in mind also that when it comes to Facebook and other social media, your privacy may be only as good as the least security-conscious person or business on your friend list.
Likewise, don’t give out your PII unless you absolutely have to. For example, I suggest that people not give out their social security number at medical offices. That data has no relevance to your medical care, and the fewer places it resides the less chance hackers have to steal it. Ditto customer loyalty programs and so on. The people you’re giving that data to may not misuse it. But how well will they protect it from hackers?
Job surfing? We tend to put a ton of information on our resumes, then post them to potentially insecure locations like LinkedIn, Career Builder, Monster.com and Glassdoor. Don’t submit resumes on sites that sell them to “just anybody.” Remember that such data (address, cell phone number, employers, education, etc.) is perfect for faking your identity.
A further key point about PII is that physical security is just as important as passwords. In particular, “dumpster diving” is a popular way to gather PII. Ask your staff whether everyone has a shredder at home to obliterate stuff like credit card applications, paid medical bills, home mortgage refi applications, expired auto insurance cards and the like. The first time I asked, about 10% had one. Five years later about 90% did.
Then there are mobile devices—these can be our nemesis. Mobile users are far more likely to succumb to phishing, vishing and smishing attacks than PC users. One reason that it’s harder to identify bogus sites on a phone’s smaller form factor. These attacks also rely on a sense of urgency that goes with the convenience factor of mobile usage. But I bet the biggest reason is that mobile users are more naïve about threats.
Remind users regularly that no legitimate source will ever email or text customers about compromised accounts. But PII attacks don’t just come from digital sources. Social engineering, both in-person and by phone, is also popular. Case in point: my daughter recently got a call from a “detective” in Dallas, stating that her PII had been used in the commission of a crime. She was asked to “clear” her name by providing PII. I asked the caller questions like: Why are you calling from a Houston area code when you work for the Dallas police? What is your badge number? Who is your supervisory agent? Needless to say the phisher quickly hung up. There is now an open case with the FTC and the Dallas police regarding the matter.
Also remind your staff that they can cheaply and conveniently freeze their credit. They should also regularly check their credit ratings, as well as their children’s. What you don’t know can certainly hurt you in that regard.
If you provide your employees with this kind of tech-savvy information, and drill it into their heads through regular InfoSec training in the workplace, they will become far more security-aware and much better at protecting your company’s information assets.
Give Pivot Point Security a call if you’d like to talk more about setting up InfoSec training that will benefit your organization.