Despite the fact that many organizations are turning to outside cybersecurity specialists to protect their systems and data, bringing in a third-party provider remains just a piece of the security jigsaw. For some businesses, working with a technology solutions provider (TSP) creates a mindset that the problem is no longer theirs, and as a result, their role in preventing and mitigating cybersecurity risks becomes more passive.
This is an important misunderstanding, not least because it risks setting aside one of the most powerful influences on promoting outstanding cybersecurity standards: employees. Their individual and collective role in defeating cybercriminals is well understood, and mobilizing everyone to play a role in protecting systems and data remains critical, despite ongoing improvements in cybersecurity technologies. Every stakeholder in this process has a role to play in avoiding the dangers this creates, TSPs included.
Despite the increasing sophistication of cyber attacks, TSPs that invest in key foundational, standardized approaches to training put their clients in a much stronger position. In particular, helping end users to focus on phishing and social engineering attacks, access and passwords, together with device and physical security can close the loop between TSP and end users and keep cybercriminals at bay.
Access, passwords, and connection
TSPs have an important role to play in training end users about key network vulnerabilities, including access privileges, passwords, and also the network connection itself. For instance, their clients should know who has general or privileged access.
As a rule, privileged access is reserved for users who carry out administrative-level functions or have more senior roles that require access to sensitive data. Employees should be informed, therefore, what type of user they are in order to understand what they can access on the network and what they can’t.
Passwords remain a perennial challenge, and frequent reminders about the importance of unique passwords is a valuable element of TSP training and communication strategy. The well-tried approach of using at least eight characters with a combination of letters and special characters, and excluding obvious details like names and birthdays can mitigate many potential risks.
There are also a wide range of password management tools that can help individuals achieve a best practice approach – TSPs should be sharing that insight on a regular basis.
In addition, employees should be cautious about using network connections outside of their home or work. Public networks – now practically ubiquitous in availability – can expose corporate data on a personal device to real risk. It’s important to educate and encourage end users to only connect to trusted networks or secure the connection with proper VPN settings.
Social engineering and phishing
An attack that deceives a user or administrator into disclosing information is considered social engineering, and phishing is one of the most common. These are usually attempted by the cybercriminal by engaging with the victim via email or chat, with the goal to uncover sensitive information such as credit card details and passwords.
The reason they are so successful is because they appear to come from a credible source, but in many cases, there are some definitive clues that should make users/employees suspicious. These can include weblinks containing random numbers and letters, typos, communication from senior colleagues that doesn’t usually occur, or even just a sense that something feels wrong about the situation.
But despite the efforts of cybercriminals to refine their approach to social engineering, well established preventative rules have remained effective. The first is – just don’t click. End users should trust their suspicions that something might not be right, they shouldn’t click on a link or attachment or give out any sensitive information. Just as important is to inform the internal IT or the TSP.
Alerting the right person or department in a timely manner is critical in preventing a phishing scam from having company-wide repercussions. TSPs should always encourage clients to seek their help to investigate or provide next steps.
Physical and device security
Online threats aren’t the only risks that need to be included in end user training – physical security is just as important to keeping sensitive information protected. For example, almost everyone will identify with the stress caused by accidentally leaving their phone or tablet unguarded. And unfortunately, many of us know what it’s like to lose a phone or have one stolen – the first worry that usually comes to mind is about the safety of data.
The same risks apply to workplace data if a device is left unattended, lost or stolen, but there are ways to help end users minimize the risk:
1. Keep devices locked when not in use. For many smartphone users, this is an automatic setting or a good habit they have acquired, but it also needs to be applied to desktop computers and laptops, where the same approach isn’t always applied.
2. Secure physical documents. Despite the massive surge in digital document creation and sharing, many organizations still need to use physical copies of key documents. They should be locked away when not needed, particularly outside of working hours.
3. Destroy old and unwanted information. Data protection extends to shredding documents that are no longer needed, and TSPs should be including reminders about these risks as an important addendum to their training on digital security.
This also extends to the impact BYOD policies can have on network security. For TSPs, this is a critical consideration as the massive growth in personal devices connected to corporate networks significantly increases their vulnerability to attack.
BYOD users are susceptible to the same threats as company desktops and without pre-installed endpoint protection, can be even less secure. Mobile devices must, therefore, be securely connected to the corporate network and remain in the employee’s possession. Helping them to manage device security will also help TSP security teams maintain the highest levels of vigilance.
Empowering end users to guard against the most common risks might feel intangible to employers and TSPs alike, and in reality, they may never be able to measure how many attacks they have defeated. But for TSPs, employees should form a central part of their overall security service, because failing to work with them risks failing their clients.