By the DynaSis Team
The media gives a lot of coverage to cyberattacks and their perpetrators, but the reality for many businesses is that the blame for security breaches lies inside the office. Criminals in faraway countries may design and launch the attacks, but if a company is stoutly defended, an attack should not succeed.
Furthermore, although “stout” defenses require up-to-date technologies such as firewall devices and anti-malware solutions, technology isn’t your only line of defense. Numerous studies indicate that cyberattacks are often successful because company employees let the attackers in.
In fact, a 2014 study conducted by IBM found that in 2013, human error was involved at some level in more than 95 percent of security incidents. The most common “mistake” was an employee clicking on a malicious email link that compromised the corporate defenses in some way.
Other significant forms of human error cited by the IBM report included system misconfiguration, inadequate system patch management and bad password oversight. The remaining top “errors” the study cited were security breaches due to lost laptops and mobile devices.
To combat these vulnerabilities, companies should address what we consider to be the “three pillars” of corporate security―user education, properly managed IT and security systems, and mobile device management. Companies that are not yet taking these pillars seriously are playing Russian roulette, and it won’t be long before it’s their turn to become a victim. We’ll address the second two―properly managed IT and security systems and mobile device management―first.
- Managed IT and Security Systems: Purchasing and deploying a firewall appliance or other security mechanisms isn’t a sufficient defense. As the IBM survey noted, the people behind the technology are equally important. System configuration, patch management and password oversight are all activities normally handled by IT personnel, not by users. These factors being cited in the prevalence of cyberattacks underscores the importance of organizations having competent managed services teams working for them.
- Mobile Device Management (MDM): Human error may result in a stolen or lost tablet or mobile device, but that doesn’t mean the company has to be compromised. With a solid MDM solution in place, wiping corporate information is a painless process.
- User Education: We urge all business owners to engage in a major education initiative with employees, if they haven’t already. Actions we recommend include:
- Turn on “secure browser” features that help identify spoofed and dangerous websites.
- Change the corporate email format to “plain text,” which does not support embedded links.
- Instruct personnel to think before they click.
- They should not open any links in the body of an email from a company PC or mobile device, even if they think it is from someone they know. If they feel compelled to open them, they should forward them to the firm’s IT security professional or provider for evaluation, first. Weblinks can look perfectly fine but actually point to a different address.
- When personnel surf the web in the office, before they click on any link they should ensure the web address (URL) matches the one they intend to browse. Web addresses should begin with the primary URL of the firm (e.g. http://www.chase.com) rather than contain it later in the link (e.g. http://www.freemoney.chase.com). Search engines such as Google list the link just below the search result, making it easy to see if the link is safe.
For companies that aren’t confident they have addressed all these issues, IT assessments and network vulnerability checks are the best place to start. For more information, fill out our inquiry form or give us a call at (770) 569-4600.