Blog / Cyber Security Tips: Where to Focus Your Attention, and Why.
One of the biggest challenges that small organizations face is answering the question: “How do you protect yourselves?” – This is something that ALL types of outfits should be asking themselves today.
Large businesses tend to have enough of a budget, that can afford them to:
– Hire people with appropriate credentials and skills.
– Purchase appropriate defenses.
These are luxuries that small groupings don’t always possess.
Now then, just because a large, well-funded organization CAN do these things, doesn’t mean they DO, but that’s another issue entirely. For a small business, even if is has the will and desire to do all the right things, they often have issues with the budget. This means they are forced to be very selective about what they elect to do and how they choose to do it.
The government of Canada is aware of this and recently the Get Cyber Safe Service released what they consider to be the Top 3 Cyber Threats faced by small businesses. They are well thought-out, make reasonable sense and comprise the following:
Lack of Awareness
On a Business level, the individuals in charge don’t have enough awareness about the threats that Technology poses. This has a trickle-down effect and impacts everything related to it:
– The cheapest solution is often chosen, regardless of other factors.
– Policies are open to interpretation (or don’t exist.)
– IT departments (or individuals) are not properly funded.
– Security controls often “Get in the way.”
Essentially, the approach to Technology is to ignore it, until something breaks. If this is being practiced by a single manager, then something can be done by the staff. If this is happening everywhere from the top down, then it can only be fixed by upper management realigning their priorities.
Lack of Education for employees
Even if Management stays in the loop and up-to-date on trends and threats, that’s not good enough. Employees are hired and kept on staff for their expertise in doing their job. Unless their job happens to relate directly to IT Security, then being kept updated on these sorts of things is not included. In case you were wondering, the job of Technical Support is to make sure that the tools you use are working. It is NOT to be updated on Security issues.
Your employees make use of your equipment (computers, e-mail, etc.), so if there’s something you feel they should know that doesn’t relate directly to their job, then you need to find a way to teach it to them.
A good example of this is Email. Pretty much every outfit (large and small) provides a corporate email address to the majority or all its employees. At the same time, email is one of the most common vectors an attacker will use to try and infect a network, because it is effective. Despite this fact, I have never heard questions about knowing how to spot spoofed/fake emails, included as part of a job interview (even in the IT world.)
Having knowledge of how to detect fake emails has nothing to do with how good a doctor they might be (or truck driver, or sales representative, etc.) On the other hand, skills like this directly benefit the organizations’ overall Security, so it’s worth taking an active role in ensuring your staff have these.
Lack of a Cyber Safe Policy
It’s important to have proper policies in place. Having them provides a company with ways to communicate acceptable and unacceptable behaviours. Without them, an outfit is essentially saying “Anything is fine; as long as it’s not illegal”, but this is never actually true. Organizations want you to be at the office by a certain time, or work a certain number of hours, or complete certain tasks. Not doing that isn’t illegal, but it’s against Policy (and can get you fired.) Having appropriate policies regarding your Cyber Safety, is no different.
Your policies should govern how computers are used. It’s also important to have rules governing the use of email and the Internet. These are the two primary vectors an attacker will use to gain access to your equipment, so failing to set-up at least basic rules for them is inexcusable.
Social Media is another tool that can cause massive damage, if misused. Even if your organization has no official Facebook page or Twitter account having a Policy regarding responsible disclosure of work details on Social Media, could be a life saver.
When you work with something you don’t fully understand, it’s important to look for (and take) advice from people who know more than you. I’ve worked with computers for my entire working career and I’m constantly on the Internet looking for different ways to do the job that’s asked of me; even after all this time. Each organization is different, so you need to find an approach that works for your situation. Unfortunately, there’s no turn-key solution that will work for everyone. This means looking for the advice of qualified individuals or entities and applying that to your own outfit, via the best of your ability.
It’s also worth noting that all the threats they listed are internal ones. The biggest hazards we face day-to-day aren’t from external hackers; they’re actually on the inside and which we create with our own actions and lack of awareness.
If you have any questions about these threats, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-man.