Cyber attacks can destroy your business. It’s important to invest in your best line of defense: your employees. Engaging your employees with education while protecting their mobile devices and endpoints could be the most important piece of your security strategy.
Bring Your Own Device (BYOD) policies are becoming more prevalent as employees are demanding choice of phone and reduction in the number of devices they need to carry. But with the popularity of BYOD you may not be completely prepared for the security problems that arise with the increase of mobile devices.
Consider a Mobile Risk Assessment to get a baseline understanding of the risk facing your mobile users. Mobile devices present a uniquely challenging landscape for security professionals and businesses alike. Cybriant’s Mobile Security Assessment considers every avenue and aspect in which risk may present itself and provides recommendations to address these challenges.
Corporate infrastructures have been venturing into the BYOD (Bring Your Own Device) world for years often without knowing it. Conditional restrictions often are not in place to prevent access to corporate data such as email, SharePoint, calendaring, corporate contacts, etc. And even in cases where conditional restrictions may exist, the usage of mobile threat defense software may not be present or utilized on the device.
However, companies will often stringently safeguard their corporate laptops and desktops with MDR solutions, SIEM agents, and vulnerability management solutions. The duality in approaches to BYOD devices versus corporate managed is perplexing due to the fact that they often can access the same confidential data albeit without similar safeguards. With the recent string of major vulnerabilities discovered in both the Android and Apple iOS ecosystems it should be obvious that any device that can access corporate data is a legitimate avenue for attack.
Consider our Mobile Threat Defense to protect your mobile users.
Employee Security Awareness
With a little training and a lot of awareness, you and your employees can prevent information thieves from accessing your financial data, customer records and proprietary information.
Drill yourself and your employees in the following practices, and you will take a giant leap forward in protecting your company. All of these guidelines are actionable without buying any additional software. Make it clear that you are practicing these guidelines yourself and you are likely to get buy-in on keeping information safe.
Passwords on Work Computers
Passwords are your greatest point of vulnerability. If a malicious person obtains a password, your entire network is at risk. Here are some best practices:
- Keep your passwords to yourself. Don’t share them with coworkers, family or friends. Don’t even share them with the company. No company communication of any kind will ever ask for your password. If you receive such a communication, notify the appropriate security person immediately.
- Do not use the same passwords for work and personal email accounts.
- Use passwords that no one could guess but that you can remember easily. Never write them down and don’t send them in an email. Use the guidelines for creating exceptional passwords below.
- When websites ask if you want to have your password remembered, select “no.” A cyber attacker on that site could get your password and then get into your work email account.
- If you notice unusual activity or suspect your password is no longer secure, change it immediately. Do not just add a “1” or an “a” to the end of it. Create a brand-new password.
- Change your passwords every three months, even if you don’t notice any suspicious activity.
Techniques for Creating Exceptional Passwords
A password should contain eight characters or more, and should use special characters that are neither letters nor numbers, such as exclamation points. Also, use a combination of uppercase and lowercase letters.
- Use a pass phrase instead of a password. Select a phrase that you can remember, such as, “I never learned how to swim.” Add punctuation that you can remember as well.
- Replace words that describe numbers with the actual numeral. “I was 7 when I first rode a horse.”
- Create acronyms. Take the first letter of the words in a phrase to make a password. “I was seven when I first rode a horse” becomes “iwswifrah”.
- Try secret codes. Create your own rules, such as adding the dollar sign to numbers or following capital letters with a percent sign. This example might look like this: “I% never went to public school until I% was $5.” This is just an example. Create rules you can remember.
Security on Mobile Devices
If you use a smartphone or tablet to access your work files and services, use passwords on these mobile devices. They are susceptible to being lost or stolen.
Use different passwords on mobile devices than you use on laptops or computers.
Check your device’s security or setting features to see if you have the ability to use any of the following:
- Lock or Timeout: Set the amount of time you want for locking out any user. This is a good safeguard for those times when the device sits idle–such as when it has been lost or stolen.
- Passcodefor Unlock: Require a password to unlock the mobile device.
- Fingerprint Reader: Some phones and tablets offer fingerprint recognition. Using this option helps prevent access even if someone has stolen your password.
- Data Erase: Set your device to erase all data after a predetermined number of log-in attempts.
- Remote Locate and Wipe: Some mobile units not only allow you to locate them through GPS (Global Positioning Systems), they also allow you to erase all data using a remote computer.
Email Best Practices
Staying alert when handling email can prevent many cyber security breakdowns. Make sure your employees follow these best practices regarding email:
- Log out of your email account when you are not using it. Leaving it open and unattended creates opportunities for hackers.
- If you have the ability to create your own email address, make it complex.
- Tell someone about any suspicions you have regarding email hacking, even if you are not sure.
- From time to time, select new security questions.
- Don’t put your password anywhere on the internet, including cloud services.
- Keep password clues to yourself. Sharing clues to your password can be as dangerous as sharing your password.
- Treat attachments from unknown senders as off limits.
- Look at the list of people receiving your email when you use “reply all.” Any suspicious addresses could be someone trying to get your email address.
- Use a junk email account to sign up for special offers. Don’t give out your work email address to random sites.
- Report spam, don’t respond to it. Contacting a spammer can make you vulnerable and get you on a list of people they regularly contact.
- Install the updated versions of your email program and browser. The latest versions often have new security features built in.
Some con artists try to get your information through phishing emails. These are official-looking emails that ask for information such as passwords, account numbers or other information that could make access to company accounts easier. .
You are often urged to act quickly to resolve an issue, and in doing so, you may provide log in codes and other company access secrets. The sender is trying to scare you into giving out vital information.
Below is an example of an actual phishing email.
Fri 3/18/2016 3:00 AM
This message was sent with high importance.
Dear (Your Company Name) Email User.
You have exceeded its mailbox set limit by System Administrator and you will have problem in sending and receiving emails until you increase your mailbox quota.
Click here to increase quota.
Otherwise, you will have limited access to your mailbox. if not updated within 12hours your account will be permanently closed. Click here now
Here are some reasons you should immediately be suspicious of this email.
- The name of the sender is unfamiliar. The person has no official title or contact information.
- The email does not have the company logo or any other branding information. (It most likely does not look like other company emails in terms of color or format.)
- The signature does not list a person, but instead gives a vague department the recipient probably never heard of.
- The threat of closing the account is unrealistic,
- There are often spelling, grammar or punctuation errors. (In this case, “12hours” is not spaced correctly and “if” should have been capitalized.)
- Clicking on any of the links will take you to a page where secret information is asked for.
Never comply with these emails, and do not click the links. If you do click the links and discover your mistake, report the incident immediately.
Most importantly, never respond with any log-in information, account names, numbers or passwords. No company will ask for such data in an email.
Locking Devices When You’re Away
If you leave your computer open while going to lunch, or leave your phone on your desk when you go to a meeting, you are allowing anyone who passes by to have access to your device. Think about this: since you are already logged in, they won’t even need your user name or password to see information.
Lock your device when you leave it, even for a few moments. Don’t rely on the device’s automatic locking feature. It could take too long. Anyone who touches your keyboard can keep your computer, phone or tablet from timing out. .
To lock a Windows computer, hold down the Windows key and the L key at the same time. As an alternate method, Press CTRL, ALT, and DEL keys and hold them down. Choose the Lock option on your screen.
When you want to lock your Mac OS X device, hold down Control, Shift, and Eject (or Power) keys.
Locking your devices does not mean you are suspicious of coworkers; it means you are security-conscious and recognize that you are responsible for the data you possess.
Security When Working Remotely
Employees who work remotely must take extra precautions to remain cyber-safe.
If you log in to your company system through a VPN (Virtual Private Network), you can access the same data you have access to at work. However, if your computer has spyware, you could inadvertently expose company information. Spyware allows an outsider to transfer information from your hard drive. For that reason, you should never access the company network from a computer that lacks virus and spyware protection.
Secondly, your Wi-Fi access should be password-secured. If you don’t require a password to access your Wi-Fi, any neighbor or passerby who snoops around in your wireless signal can see everything you are doing online. Don’t use public WiFi for work communications. Hackers routinely search public WiFi for computers they can break into.
Finally, when you have a choice, use WPA security for your wireless network. This is a very high-level type of security.
Your Employees are Your Best Defenders
Turn these pointers into lesson you repeat with employees periodically. Post important security measures in work areas, and create an atmosphere where employees feel free to report security issues or concerns. All the sophisticated technology in the world won’t be as effective in keeping your company secure as diligent and watchful employees. For a more secure organization, start with a mobile security risk assessment.