Amid ever-changing technology, employee education and involvement in keeping data safe is essential to a business's ability to defend against a cyber-attack and data breach. The days of stagnant policies, procedures, and perimeter defenses are gone; employee training must be fluid and evolve with the innovative security threats businesses face.
Technological advancements enable us to check email on mobile devices, work remotely, and conveniently transmit large volumes of information. Such advancements have increased productivity and job satisfaction; however, the increased ability to access data outside the traditional brick and mortar office has raised new challenges for businesses. Traditional cybersecurity relied on defending the "corporate perimeter" by focusing on the use of firewalls and anti- virus software. With the disappearance of the corporate perimeter, cybersecurity d efense has shifted to focusing on the end user—the employee.
Employees represent both the strongest and weakest link in a business's cybersecurity defense. To ensure that employees are equipped to contribute to a business's cybersecurity defense, they must be trained in cyber-related best practices. Best practices curtail behaviors most likely to lead to a data breach or possible cyber-attack, such as:
- Unattended devices in public;
- The use of inadequate passwords; Failing to safeguard passwords;
- Not safeguarding sensitive data and the use of encryption;
- Succumbing to phishing or malware attacks;
- and Exposing data through unsecured networks.
Each of the above presents an opportunity for an individual to gain access to a business's data or network. Each also presents an opportunity, through proper training, for a business to strengthen its cybersecurity defenses to protect itself from emerging threats posed by our ever-changing cyberworld.
Unattended Devices in Public
Leaving a mobile device or laptop in a public place is the single most recognized source of data breaches. Forgetting a mobile device or laptop, or simply leaving them momentarily unattended in a public area, provides all the opportunity needed for outsiders to gain access to a network or data. Our mobile devices and laptops increasingly contain sensitive business data. Forbidding employees from downloading or storing work-related data on mobile devices or laptops would alleviate these issues; however, such a policy is often not practical. Fortunately, there are precautions that would mitigate the risks of lost or unattended equipment.
The majority of devices and laptops are equipped with a lock screen passcode option requiring a relatively simple passcode to gain initial access. While not foolproof, it is a first step. Employees should be required to turn on this setting with all devices used for business purposes. In addition, if business data is stored on a device, that data must be encrypted. Encryption provides an additional, and significantly stronger, layer of protection above and beyond a passcode. Lastly, employees should only use mobile devices and laptops that can be remotely wiped. If lost, a remote wipe is the fail-safe option to ensure that networks and data remain secure.
If employees are permitted to use personal mobile devices or laptops, as opposed to employer-provided equipment, the above safety steps should be required as a condition of accessing business networks.
Each day employees are asked to provide login credentials an inordinate number of times. Individuals cope with this dilemma by utilizing very simple passwords with no safety value, or they use the same passwords across multiple platforms, defeating the purpose of passwords. Compounding the problem of inadequate password selection is the sharing of and failure to safeguard passwords. According to a 2013 study analyzing cyber-attacks and data breaches prepared by Verizon, stolen password credentials were used in 4 out of 5 attacks. See Verizon Enterprise, 2013 Data Breach Investigations Report, available at http://www.verizonenterprise.com/resources/reports/rp_data-breach- investigations-report-2013_en_xg.pdf.
To be effective, passwords must be complex: a combination of upper and lower case letters, numbers, symbols, and 10 to 12 characters in length. These should be changed, at a minimum, quarterly. Passwords should not be shared across multiple platforms. For example, employees should not use their Facebook password to access their work network. Furthermore, employees need to be reminded that hackers can assimilate personal information from the internet and use it to breach unsophisticated passwords.
In addition to the strength of a password, employees must also safeguard passwords just as they are expected to safeguard data. Passwords must remain confidential. Employees should be trained to not share passwords. Once a password is disseminated, there should be no expectation of confidentiality or security. Similarly, employees should not leave passwords in the open for others to see.
As traditional passwords become less secure, businesses are implementing alternatives to passwords such as passphrases or two-factor authentication. A passphrase is a sequence of words or characters combined to form a short phrase. Another login mechanism that is gaining popularity is two-factor authentication. Two-factor authentication requires the user to provide two pieces of information in order to confirm the user's identity. It is more difficult for an unauthorized user to obtain the more complex pieces of information needed to gain access to a device or network using either of these alternatives.
Safeguarding Sensitive Data Through Encryption
When it comes to safeguarding data, encryption is crucial. Encryption is the method by which data is converted into a secret code. To access the encrypted data, one must have a specific password to "decrypt" the data. Encryption is the simplest and one of the most effective means of protecting data. It is also one of the best methods to protect against human error.
All data should be encrypted. Encryption software is already available on most mobile devices and laptops. A plethora of encryption options are also available at no cost or for purchase. If an employee uses mobile devices or laptops outside the office, the data on all such devices should be encrypted. If sensitive information is shared via email, the email should similarly be encrypted. Although the sharing of passwords is discouraged, if passwords are shared, encrypt them. Encryption should be required for all equipment, inside and outside the corporate perimeter. If the data is encrypted, it is protected, whether it is on a lost mobile device, a laptop, or shared sensitive information.
Phishing and Malware Attacks
It is believed that the Anthem attack, the largest single breach of health care data to date, started with a phishing scam in which hackers compromised the credentials of five technology employees. See Brandon Bailey, Investigators Suspect Anthem Breach Began with "Phishing" of Employees, Insurance Journal, (Feb. 10, 2015), http://www.insurancejournal.com/news/national/2015/02/10/357051.htm. Such scams only succeed if an employee unwittingly succumbs to the enticements of the scam. To reduce the risk of falling victim to a phishing or malware scam, employees must be trained to always view emails from unknown sources as suspect. Phishing scams are usually fraudulent emails that appear to come from a legitimate source that attempt to get the recipient to divulge sensitive information. Malware is software that is used to disrupt the operation of a network, take control of computer, or obtain sensitive information. In addition, employers must put in place reasonable restrictions on employee Internet use.
Employees must be trained to identify potentially masquerading emails and follow best practices to avoid phishing or malware scams. Scam emails often telegraph their nefarious motive. For example, employees should be trained to look for email inconsistencies such as whether the "from" and "reply to" addresses are identical. Another common situation involves emails that appear to be legitimate, but are merely clever masks to gain access to data or a network. Educate employees that businesses and service providers (e.g., banks, Google and Yahoo) do not seek personal information (e.g., birthdates or social security numbers) via email. Such information requests are likely a scam and the email should not be trusted. Emails from unknown senders should not be opened until it is confirmed that the email is legitimate.
To further reduce the likelihood that employees will encounter a phishing or malware scam, reasonable steps should be taken to limit employee access to the Internet for personal use. For most businesses, access to the Internet is essential to its operations; use of the Internet should be limited to business purposes. Employees should not have access to personal email accounts, Facebook, Tumblr, Pinterest, and other similar social networking sites from business networks. Malware attacks typically originate via links on webpages as opposed to an email. Prohibiting personal Internet use eliminates another entry point to a business's network.
Businesses should keep employees abreast of the latest phishing and malware ruses through regular training and updates. The FBI, among others, routinely publishes information regarding current phishing and malware attacks. See, e.g., Internet Crime Complaint Center (IC3), http://www.ic3.gov/media/default.aspx (last visited 4/13/2015). Take advantage of this information and share it with employees. Phishing or malware attacks only work if there is an affirmative act by the employee (e.g., following a link). Through education and training, employees can be taught to recognize potential attacks and avoid such baits.
A benefit of the cyber-age is the ability for employees to work remotely. Whether it is from home, the local Starbucks, an airport, or hotel, there are associated risks with working remotely, which, if addressed, can reduce the risk of a data breach or cyber-attack. Public wifi is just that—public. There should be no expectation of privacy or security when connected to public wifi. To ensure network data is secure at all times, employees should be required to use a VPN connection (Virtual Private Network). A VPN connection enables employees to connect using the Internet to a remote network (i.e., the office). The information transmitted via a VPN connection is private and secure and allows an employee to work as if they are directly connected to the network. If a hacker attempts to access data over a VPN, the data will be unreadable and unusable to that individual.
The Employee Role in Responding to a Data Breach
Just as employees must be educated on the best practices to avoid a cyber- attack or data breach, they must also be educated to know what to do if, and when, a breach occurs. The single most important thing an employee can do is immediately report a data breach. Regardless of the cause, employees must know that it is their duty to report a breach to the appropriate individuals. To this end, businesses should have in place a Chief Information Officer (CIO), Chief Information Security Office (CISO), and an Incident Response Team (IRT). It is the combined job of these three positions to address a data breach. Employees should know who these individuals are and have their contact information readily available. Employees should also know that they are expected to report a breach regardless of the day or time. Response time is critical to stopping and remediating a data breach.
To assist in the response, employees should also be trained to note basic information such as the time, location (if involving the physical loss of equipment), and their activities that led to the breach. In the event of a phishing or malware attack, employees should be taught to stop what they are doing to prevent the spread of the attack to other devices or networks.
Cybersecurity is no longer strictly an IT issue. If a business is to implement an effective cybersecurity defense, it is imperative that all employees, from management to the mailroom, are involved.
Employee Education and Training
To implement a top-to-bottom culture of cybersecurity, a business must adopt policies and procedures that are shared with all employees and reinforced through regular training. Employees must be knowledgeable regarding a basic level of cybersecurity; they do not, however, need to be IT specialists. When educating employees, real life examples should be used as teaching tools, as employees are more likely to relate to such examples. When you tell employees the "don't," you cannot forget to tell them the "because." Employees should feel as if they have skin in the game. Let them know how a data breach will impact them and their employment. In the end, employee training must be practical, and straightforward. Employee training must evolve, just as the risks it is intended to prevent evolve. The goal is to equip employees with sufficient information so that they make better and safer decisions.
Employee education and involvement in the safe keeping of data is essential to a business's ability to defend against a cyber-attack and data breach. Although the risk of a data breach may never be reduced to zero, implementing and reinforcing employee best practices through regular training will ensure that employees are the strongest link in a business's cybersecurity defense framework.
Copyright © 2015 DRI's Data and Security Dispatch. Reprint permission granted.