How to Instill a Culture of Security in Your Organization
August 27, 2015
5 minute read
As an IT professional, I understand the importance of having a productive security conversation with end users. As many IT professionals know too well, this can be a challenging task.
Some end users just don’t take data security as seriously as they need to. Working at previous companies, I’ve heard attitudes ranging from, “Why should I care?” to “We’re not a target,” and “This could never happen to us.”
The reality is far more harsh.
A study released in late 2014 found that 43% of companies experienced a data breach in the past year. Over the last two years, 91% of healthcare organizations have experienced at least one data breach, with 40% having had more than five breaches. The numbers are staggering.
It’s getting to the point where your organization is almost more likely to experience a data breach than not. That’s why the following topics should be explained thoroughly to your users in a way that illustrates why data security measures are more important now than they’ve ever been.
2-Factor Authentication
The first and most simple data security measure to enforce on your users is 2-Factor Authentication. It provides a basic level of protection against compromised passwords. 2-Factor Authentication consists of something the user knows (their password) and something they have (a randomly generated code).
Though you can’t use 2-Factor Authentication everywhere on the web yet, you can use it on a number of important applications. Here’s a great article that shows you where you need 2-Factor Authentication and how to enable it. You can also visit twofactorauth.org to find a more exhaustive list of which applications accept 2-Factor Authentication–and which don’t.
Setting up 2-Factor Authentication should be part of your users’ onboarding (at BetterCloud we require it for all users). Setting it up from the start is much easier than asking your users to do so down the road.
Here’s a guide for how to setup 2-Factor Authentication for Google Apps and Office 365 users.
Office Security
There are several basic preventative security steps that your users can take around the office. First and foremost, your users need to be aware of tailgaters. When walking in and out of secure areas, users should be aware that they are not being followed into secure rooms or your office building. This is also known as piggybacking.
Other simple habits that you can preach to your users is simply ensuring they lock their computers when they leave their desk or to avoid leaving confidential documents in the printer or scanner.
Another way attackers will try to get access to your confidential data is by “baiting” your users. Baiting takes advantage of your users’ curiosity and is often carried out by leaving malicious SD cards or flash drives with intriguing names like “2016 Bonus Structure” around the office. Through baiting, attackers can have users manually insert malware into your system.
There are a number of other ways that attackers can breach your company’s security, but many can be negated by being aware of any unusual behavior and using common sense. If something doesn’t feel right, it probably isn’t.
Phishing Emails
Phishing emails are one of the most common ways organizations are targeted. As an admin, you should always know who is sending you emails as well as how to stop sender fraud. Phishing emails are used to acquire personal or company information from an individual and there are two simple things your users need to understand about phishing:
- No one should ever ask for your password over email.
- No one will ever randomly email you and give you money.
Phishme is a great tool to test your users and teach them what a phishing email looks like.
Web Security
Many users just don’t understand SSL warnings and their importance. Most will blindly click through warnings. Users have become so accustomed to seeing warnings online from poorly configured websites that they fail to take a second look. This is an area where you can really play a key role in educating your users about the dangers of bypassing warnings.
An alternative approach, according to a 2009 study from Carnegie Mellon on SSL warnings takes a more stringent perspective, “while warning can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections.”
Your users should be mindful of the browser extensions they install. Extensions that make grandiose claims before installing, like offering a free iPad or Surface Pro, or recording and pirating extensions for audio and video should be avoided. An extension that directly asks for a password should never be installed. In other words, make sure your users are mindful of permissions before installing.
If your users use Chrome Sync, make sure they add a password for additional data security. This way the password is stored on their local device, rather than on Google’s servers.
Password Strength and Password Managers
If there is one thing you need to make loud and clear to your users it’s the importance of creating strong passwords. Two out of every three data breaches involve attackers using stolen or misused passwords, according to the 2014 Verizon Data Breach Investigations Report.
On choosing a strong password, renowned cryptographer and security specialist Bruce Schneier offers four very good pieces of advice:
- Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
- Don’t bother updating your password regularly. Sites that require 90-day–or whatever–password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
- Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
- One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.
Note: Facts about your users, such as High School attended or old addresses are available in public records. Also, birthdays, pet names and names of best friends are all very easy to find on social media and are primary reasons why password security questions can be harmful.
Changing the Security Mindset and Spreading Awareness
Instilling a culture of security is a tough challenge for any IT admin, but frankly, it’s a necessity. You need to train your users to take a step back in situations of uncertainty. You need to train them to ask a colleague, use Google, or go to IT if something seems suspect and doesn’t feel right. While training your users, it really helps to expose the risks of a data breach and the hard numbers to your employees. Make them aware of what’s at stake.
But security isn’t just company related, this goes for their personal lives as well. Annually, more than 12 million people are victims of identity fraud with the average monetary loss being more than 5,000 dollars. Those numbers will likely hit home harder than the idea of company data loss ever will. If you can get employees to be more security conscious outside of work, that mentality will likely bleed into how they approach security in their work lives as well.
Outside of work, your users should consider using 2-Factor Authentication on Apple and Google accounts. They should take advantage of “find my phone” tools for Apple and Android devices. They should be using FileVault or BitLocker to encrypt their startup disc on their computer. And lastly, they should update their personal devices. Upgrades are often security related so making sure personal devices are running the lastest version of software is essential.
Regardless of where you work, your users need to know the dangers of a data security breach. It’s your duty to educate them and to instill a culture of security that helps prevent data loss. After all, us IT admins are given a lot of responsibility, and that means when things go wrong, we’re often the ones shouldering the blame.