The Covid-19 Pandemic has affected everyone, forcing many to work from home and causing an increase in the use of virtual environments. With it comes a rise in cyber-attacks, as hackers take advantage of the confusion and peoples lack of preparation to break into company networks, and trick people into revealing sensitive information. This blog post will discuss some of the common areas of deficiencies for firm’s cybersecurity training programs, and a few tips for improving those programs to keep your firm and employees protected.
Identifying and dealing with Phishing attempts
Phishing is a type of social engineering attack often used to steal user data where the attacker disguises themselves as a trusted source through an electronic communication, such as an email, and is one of the most common forms of cyber-attacks. With people working from home and communicating online more now due to Covid-19, it is important for your employees to be able to identify when a communication is a phishing attack, and how to respond.
To test your firm’s resilience to a phishing attack, we recommend running a simulated phishing campaign. This is where you create a fake phishing email and send it to every employee to see who clicks on the link to get a baseline before starting training.
Topics phishing training should cover:
- How to identify and report a phishing email.
- Never give login info over email, text, or other online method without approval from supervisor.
- Only click on links in emails from trusted sources.
A critical topic for any cybersecurity training program is passwords. Having strong passwords is critical to protecting your firm’s sensitive information and systems from outside attacks, but many people have weak passwords, and fail to properly secure them. It is imperative to teach your employees the minimum standards for creating a password, and what to avoid.
What to avoid:
- Sequential numbers or letters.
- Personal information such as birthdays.
- Common words/phrases like “password1”, or “qwerty”.
- common substitutions, like replacing a letter with a similar number (i.e. using a “8” for an “B”).
Components of a strong password:
- Should be at least 8 characters, the longer the better.
- A mix of uppercase, lower case letters and numbers.
- Using random character placement.
- Using multiple words.
A strong password should make sense to you but look like gibberish to anyone else who looks at it.
Using work devices outside of the office
Using work devices like laptops outside the safety of the office security network can put both firm and a client data at risk if it is lost, stolen, or hacked into. Even though it is safer to keep all work-related devices confined to the office, that is not always feasible, and employees will need to do work outside of the office. For situation like this, your firm should train its employees on the proper procedures for securing work devices outside of the office, which should include, but is not limited to:
- Make sure everything is password protected and set an auto lock timer.
- Set up and show employees how to use VPNs and RDPs.
- Never let the device out of sight when in public.
- Never connect external media (USBs, CDs, etc.) unless from a trustworthy source.
- Make sure no one is Shoulder Surfing when entering login credential or sensitive information.
- Make sure anti-virus software is working and up to date.
- Do not connect to unsecured Wi-Fi.
- Only download company approved software.
- Do not visit sketchy, spoofed, or unverified sites.
If you feel your firm is at risk or are looking for more was to improve your cybersecurity program, cybersecurity training program, or other compliance related programs, contact our firm today to learn more.