By Jay Ryerse, CISSP, Vice President of Cybersecurity Initiatives, ConnectWise
When it comes to cybersecurity, there are a few misunderstandings. Many clients believe that they’re completely secure and risk-free after hiring a technology solution provider (TSP) to manage their security. However, the inaction of employees is the biggest risk to an organization’s information security.
Human error is one of the main points of weakness. In fact, it is reported that 90% of cyberattacks are caused by human behavior. Knowing this, it’s crucial for businesses to undergo cybersecurity training. This will ensure that team members learn how to protect sensitive information, understand their responsibilities, and recognize signs of a malicious threat.
As a TSP, you will mostly likely be responsible for providing security education, training, and guidance on policies for your clients.
Security awareness training should focus on:
- Phishing and social engineering
- Access, passwords, and connection
- Device security
- Physical security
Let’s dive into the tips and best practices that you can teach your clients and end users.
Phishing and Social Engineering
An attack that deceives a user or administrator into disclosing information is considered social engineering. Phishing, a common social engineering attack, is an attempt to gain control of sensitive information like credit cards and passwords through email or chat.
Phishing and social engineering attacks are extremely successful because they appear to come from a credible source. Some giveaways of a phishing attack include links containing random numbers and letters, typos, an odd sense of urgency, or a general sense that something feels off about the request.
Avoiding Phishing and Social Engineering Attacks
What should clients do if they’ve been involved in a phishing attack?
- Don’t click! If end users feel like something isn’t right, they shouldn’t click on a link or attachment or give out sensitive information.
- Tell IT or your TSP. Alerting the right person or department in a timely manner is critical in preventing a phishing scam from spreading company-wide. Always encourage your clients to ask you to investigate or provide next steps.
Access, Passwords, and Connection
It’s important to go over the different elements of the network, such as access privileges, passwords, and the network connection itself during cybersecurity training.
Your clients should be aware of which colleagues are general users versus privileged users. Typically, privileged access is given to users who carry out administrative-level functions or need access to sensitive data. Your client’s employees should know what user type they are in order to understand what applications, information, or functions are accessible to them.
When it comes to passwords, especially those used to access IT environments, employees need to be using best practices. Passwords should be unique to each application or site, contain at least eight characters with a combination of letters and special characters, and exclude obvious information like names and birthdays. Generally, it’s best to change and/or update passwords about every six months. Password management applications, like 1Password, can help make this process easier.
Employees should be cautious about using network connections outside of their home or work. Even encrypted data on a personal device can be exposed to vulnerabilities through a public network connection. It’s important to educate and encourage end users to only connect to trusted networks or secure the connection with proper VPN settings.
Today, there is an increasing popularity to Bring Your Own Device (BYOD), meaning an increased number of mobile or personal devices in the workplace, connecting to the corporate network, and accessing company data. Introducing outside devices to the network increases the amount of entry points for threats. With this in mind, mobile devices need to be securely connected to the corporate network and remain in the employee’s possession.
Personal mobile devices are vulnerable to the same threats that company desktops and laptops face. Without pre-installed endpoint protection, tablets and smartphones may be even less secure. It’s important for users to be aware of the applications they’re installing, websites they’re browsing, and links they’re clicking on.
Online threats aren’t the only risks that employees need to be aware of. Physical security is also a factor in keeping sensitive information protected. How many times have you accidentally left your computer or mobile device unattended? It happens to all of us. Unfortunately, an employee’s data would instantly be at risk if someone decided to steal their unattended phone or log in to their computer.
Here are a few ways that clients can improve their physical security in and out of the office:
- Keep devices locked. Get in the habit of doing this every time you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or the Power key) at the same time.
- Secure your docs. Keep all of your documents in a locked cabinet, rather than leaving sensitive information out and about. Before leaving for the day, store important documents in a safe or locked cabinet.
- Properly discard info. When throwing away or getting rid of documents and files, make sure you’re shredding them and discarding them appropriately.
About the Author
Jay Ryerse, CISSP, is the Vice President of Cybersecurity Initiatives for ConnectWise. He brings more than 25 years of experience providing information technology and security solutions to businesses of all sizes. He’s the previous owner of a successful Atlanta-based MSP and was the CEO of CARVIR, the cybersecurity company acquired by Continuum in 2018. Jay is the author of “Technology 101 For Business Owners”, was named to “The World’s TOP MSP Executives, Entrepreneurs & Experts” in 2014 by MSPmentor.net, and was the “2015 Better Your Best” winner from Technology Marketing Toolkit. Today he works closely with IT service providers and MSPs to provide insight and best practices for securing business networks.