Employee cybersecurity essentials part 1: Passwords and phishing
Your company may have state-of-the-art monitoring and the latest anti-malware and anti-virus programs, but that doesn’t mean you’re not at risk for a breach, or that – as an employee, that you’re not putting your company at risk.
Humans have always been the weakest link in the security chain. Phishing and social engineering schemes account for 93 percent of breaches, according to Verizon’s 2018 Data Breach Investigations Report. And passwords are easier for hackers to obtain than ever. One recently discovered file on the dark web contained 2.6 billion of them for sale.
With proper training and motivation, your employees can prevent phishing attacks and password hacks.
Education is essential, but if you do it wrong it can backfire, overwhelming workers with information and making them too worried about personal consequences to report problems.
As guidance, here are some of the most important things you can teach employees about passwords and phishing, along with tips for presenting the information in a way that will encourage them to comply.
Choosing a password
We know a strong password means one with uppercase and lowercase letters plus numbers and symbols. Passwords should be changed every 90 days. Everybody in security knows this because that’s what the U.S. National Institute of Standards and Technology (NIST) said to do back in 2003.
But, your employees defeated these rules. Because they’re human and have trouble remembering numbers and symbols not used in speech, they use combinations like P@s$w0rd!2 and 1L0v3U*7. It didn’t take hackers long to figure out that symbols were being substituted for letters they looked like and people who had to change passwords every three months simply added sequential numbers to the end.
What about employees using those password meters that tell you whether the password you’re creating is weak, medium, or strong? Researchers at Carnegie Mellon University actually found these to be inaccurate.
As a result, NIST recently admitted failure and revised its guidelines. Instead of using a hash of numbers and symbols, it says, you’re better off with a password that’s longer—at least 64 characters. Though this may sound difficult, it’s actually easier because you can create a pass phrase with spaces between words. Choose words that don’t normally belong together, like “big dog small horse.”
This is good news for employees, who are much more likely to remember words they have chosen than a string of numbers and symbols. Even better news for employees: once you have a good password, you may never have to change it, NIST now says. Just don’t use it for anything else.
However—and this is critical—NIST also says you shouldn’t rely on passwords alone except for low-risk applications. In other words, don’t run your business on them.
NIST is right about that. We view the phrase “strong password” as an oxymoron. Serious cybercriminals use computers to do their password guessing and, as a human, you can’t keep up with that kind of computing power. Today, the average laptop has at least five times the processing power of the NASA Space Shuttle.
That’s why it’s important to use multifactor authentication (MFA). However, passwords are still an important component of that system.
So, encourage your employees to choose a good password, and then move on to MFA and single sign-on (SSO), which will make their lives even easier while making your business more secure.
Spotting a phishing attack
Do your employees know not to click links or attachments from unknown senders and to think twice even when they come from an insider or someone they know? Do they know to hover their mouse over a link to see if the address is different from the hyperlink text? To notice whether the “Reply” line information matches the “From” line?
After years of security training, you might assume that they do. Although if you conduct a company-wide phishing test, the results may surprise you. Workers are busy and sometimes careless. Many believe that if they do click a bad link, your company’s antivirus and antimalware software will save them.
A phishing test provides an opportunity to educate workers about real problems the company faces and updates relevant internal security personnel on the phishing education level of employees company-wide. Training is more compelling and less dry when it deals with the here and now. You should incorporate the latest real-life examples in your industry to help them see how serious cybercrime is and how it’s very possible they can be the heroes who stop it.
Spotting a spear phishing or social engineering attack
While many hackers still get results from traditional phishing attacks, others have moved on to spear phishing and social engineering, also known as business email compromise. In these schemes, a particular individual is targeted and asked to fulfill a request, usually providing data or wiring money.
Unlike traditional phishing attacks, social engineering emails don’t usually contain malware. Instead, they rely on tricking the employee to act on the request.
Some hack the email of the individual they’re impersonating, while others rely on “spoofing,” or using an email address a letter or digit off. Others have figured out how to edit the “From” field to make the fake addresses identical to the real one—but if you click “Reply,” they are different.
Spear phishers comb LinkedIn and other business sites to learn about your company and its personnel and suppliers, your relationships with colleagues or partners and then use the information to craft plausible requests, such as wiring money to pay an invoice or handing over employees’ W-2 information.
Hackers go after small and large businesses alike, and even sophisticated companies have been fooled. For example, Merck & Co. reported an estimated loss of millions from the NotPetya cyberattack from business disruptions of its worldwide operations, including manufacturing, research and sales operations.
Outside of the professional sphere, social engineers target people based on their Facebook profiles. If a friend’s account is hacked, others in the network may be scammed through fake promotion schemes or tricked into downloading a keystroke logger.
Training is important in employee cybersecurity education, as is contextualization for how their own personal information can be used or exposed in these types of attacks too. Employees who realize that their personal information, as well as your business data is at stake are likely to pay more attention to training and become more vigilant.
Every company’s employees are different. Through employee security training and secure solutions, your employees should be able to recognize attacks and help protect the company and their own assets.