Your cell phone rings. It’s your office manager. Something has happened. An employee has a cryptic text file on their screen, something about all their files being gone and a demand of $500 ransom to get them back.
Other employees are reporting that they cannot access any of their documents either, even off of the server. Your information-technology guy is running around pulling network cables out of the back of PCs and manually shutting down all servers. Something big has just happened, and you have no idea what it even is.
This is the world of modern IT. Threats that were once fodder for bad television and movies are actually happening. The above scenario, involving a particularly nasty piece of malware that has been estimated to have infected millions of PCs, both personal and business machines, is only the latest in the ongoing malicious software arms race. It’s an arms race that builds on itself, with the latest generation of malicious software almost always being stronger, harder to defeat, and more complex than the last version.
It’s easy to ask ourselves, in 2015, how does this sort of thing happen? We do the right things, we have firewalls, constantly updated antivirus software, and maybe even unified threat management. The sad reality is, no matter how good our perimeter security is, the penetration ability of the baddies is better.
Take Sony, and its latest data breach, for example. That company is no strangers to attacks, or even breaches, yet it was clearly vulnerable. In fact, common thinking is that no target is completely safe, no matter how well-guarded. If someone wants in, and the prize for getting in is big enough, they will find a way. Chilling? Of course it is, but this is the world we live in and we must face this reality, this new normal, head on.
So, what is a business owner to do? After all, you thought your security architecture was top shelf, so what more could you have done?
It turns out, the most important thing most companies, especially small ones, can do is train their users. Security these days cannot just be centralized in just a few key staff members or in expensive security appliances. Truly, security is everyone’s concern, and defense has to come from all involved parties.
Looking at well-known breaches, often it is the end users who are targeted and become the point of access in. Modern criminals don’t waste a lot of time beating against firewalls. Instead, they will send phony package tracking emails to employees in the accounting department, or hang out in the free breakfast area of large hotels and wait for someone to walk away from their laptop or phone.
In our modern, cloud-connected, always online environment, we are truly connected to one another in a more direct manner than ever before. Although this makes many aspects of work far easier and more efficient, it also exposes everyone to all of the threats that are out there. Specifically, what it creates are nearly unlimited opportunities for the wrong kind of software to get installed, run, and allowed to deploy its payload.
Over time, both the opportunities for infection as well as the sophistication of malicious software has increased. Gone are the broken English, poor graphics, and other telltale signs of fake software from the past. These days, the malicious software trade is big business, and it shows in the overall polish these pieces of software have. No more is it obvious what software is fake and what is real.
Now, more than ever, it’s critical for businesses to realize that the most important investment they can make in security could be education. A well-informed, cautious user may truly be the last line of defense against malicious software getting in, or data theft from happening in the first place.
Fortunately, like a lot of education, a little can go a long way. Most of the time, it will be common sense and just taking the time to think about what they are doing that will protect users from malicious software. This last part is key.
With the ever-increasing pace of work and information delivery, it can be incredibly difficult to get people out of a reactionary, fast-as-possible mindset. Yet, this is precisely what security demands, a level of critical thinking where people ask themselves what are the risks of clicking on this link, or opening this attachment, and is this something I should even be doing?
When it comes down to training users, vigilance is the most important lesson to impart. Security threats are changing every day, so training against any particular attack is not as helpful as training someone to be better equipped to handle any kind of attack.
It is also helpful to train users, in general, what common, modern malicious software threats look like. The average user should know what phishing is, why they have a passcode on their company phone, and why their laptop is encrypted. Often, there can be a tendency to keep matters of security secret, but this frequently causes harm. It is important for all staff members to know the type of environment they are in, as well as the real threats that apply to them.
Specifically, there are things that every network user, especially if they are connected to the Internet, should just know. Here’s a list of the basics that will help protect users from the most common threats out there these days:
•Teach staff to be leery of email links and attachments: A good rule of thumb is to not open anything that isn’t expected. If there is a link in an email, hover your mouse over it to make sure it goes where it says it does. If there is any doubt, either get clarification or delete it.
•Teach staff who the IT people are: It is not unheard of for people to pose as tech staff to gain unauthorized access to systems. Teach people who has the authority to access their systems and to verify that authority if they are unsure.
•Teach staff how to protect their workstations: Data security starts with physical security, and it is everyone’s job to make sure that computers aren’t left open and unlocked when they are unattended. Talk about the importance of secure passwords and of changing passwords periodically.
•Teach people to protect their mobile devices: Mobile device theft is rampant, and - especially if the staff member uses his or her mobile device for work - a surprising amount of sensitive data can be available to any would-be thief. Teach them to account for their device at all times and make sure it’s protected with a secure passcode and encryption.
•Teach people to mind their emotions, especially when they might be being manipulated: Malicious software preys, most often, on one of two things, not paying attention or mindless reaction. Teach people to slow down and think what they are clicking on, to honor their gut instinct when something doesn’t seem quite right, and not assume every word of every email is true.
This past year has been a sobering one for information security, but there are still things we can do to provide our network, and our users, with real protection. The sad truth is that the situation in information security will probably get worse before it gets better, but the best, most proactive thing we can do now is to make sure that the people we trust with access to company and other sensitive data are equipped to defend against the very real threats they face.
John Coleman is the managing director and principal at 1123IT, a Spokane IT services firm. He can be reached at jc@1123it.com.