On Sundays, I try to relax and not think about IT security, but an interesting story on the front page of theWashington Post got my attention. In 1969, the Pentagon’s Advanced Research Projects Agency pioneered a computer network linking about 100 universities and military sites. It was called ARPANET, and it was the beginning of what later became the Internet. Fast forward, and the Internet permeates the business world, which would look very different without that Pentagon military project over 46 years ago.
From the beginning, some computer scientists warned that the Internet and its data transmission standard — Transmission Control Protocol/Internet Protocol (TCP/IP) — was vulnerable to hackers if it did not incorporate encryption. For this reason, the military created its own encrypted network, still using TCP/IP, but the civilian Internet kept its fundamentally open nature. Encryption, and the hardware needed to support it in the early days of the Internet, would have been very costly, perhaps even preventing the nascent Internet from succeeding.
Of course the Internet did succeed, and the first worm appeared in 1988, created by a Cornell University graduate student. Today, over 10,000 new malware threats are discovered every hour, a quarter million a day.
Billions of dollars are spent each year on anti-phishing, anti-malware, anti-spam and other security solutions, yet threats still find their way into many small-to-midsized businesses (SMBs). What can be done? What is the antidote to this epidemic of phishing, next-generation malware and other threats? Unfortunately, there is no magic solution, but enterprises can take some recommended steps. SMBs without an IT department can consult with a managed service provider (MSP) for help in implementing these security best practices:
effective training for users to detect phishing attempts
detailed and thorough company policies that encourage acceptable user behavior
enterprise-grade alternatives to less secure consumer-focused tools
layered security solutions that better thwart malware, phishing attempts and other threats.
1. Train Proactively
Cybercriminals are getting more sophisticated, and are even banding together and sharing techniques via social media. In some cases, they have launched coordinated attacks against a single, high value target. This has made some organizations more vulnerable to phishing attacks and other threats. Plus, malware is getting “smarter” and harder to detect and eradicate.
Users are the first line of defense in any security infrastructure, and they should be adequately trained. Approaches to security awareness training vary substantially, from the informal lecture and slide show “break room” approach, to intensive drills where simulated phishing attacks are sent to everyone in an organization.
Employees should receive thorough training about phishing and other security risks, and how to detect phishing attempts. Emphasis should be placed on the importance of being skeptical about suspicious emails and content. Email attachments and links should be automatically scanned before being opened. Email is the most common enterprise entry point for malware.
Above all, make sure that all network users understand the risks presented by phishing and malware, and how important each employee is to the organization’s IT security.
2. Clear and Detailed Policies
Employees should use passwords whose complexity matches the sensitivity and risk associated with the data assets they protect. Sensitive data should be protected and made available only on a need to know basis. Passwords should be changed on a rigidly enforced schedule, and they should be managed by IT.
Clear policies need to be established and communicated to all employees regarding remote connecting, telecommuting, and using personal devices for work (BYOD). A policy should be set for acceptable tools that employees may employ for file sync and share, and for social media. Caution workers about sharing too much information on social media, and educate them on how cybercriminals use social engineering to trick gullible victims.
3. Use Enterprise-Grade Tools
If possible, deploy enterprise-grade security solutions in place of employee-managed solutions. For example, there are viable, easy to use enterprise-grade alternatives to widely used consumer-grade file sync and share solutions like Dropbox, Google Docs, and Microsoft OneDrive. There are file-sharing systems available to organizations that accommodate very large files, which some business email systems cannot handle.
Consider implementing business continuity solutions such as backup enterprise email options to be used during outages, instead of employees’ personal Webmail accounts.
4. Layered Solutions
IT departments, or the MSP, should implement robust, layered security solutions based on threat intelligence. While the employee is the first line of defense in IT security, they are by no means the only element. A layered security infrastructure, based on analytics and good threat intelligence will greatly lessen the chances of a data breach.
However, the human component is really the first layer of security because an alert and properly trained employee can often thwart potential incursions like phishing attempts before they get detected by technology. The best security solution is only as good as the people behind it.