Security awareness is a process done by IT and Security experts to mitigate and reduce risk internally. Security awareness is important to an organization because it is meant to emphasize important security procedures and best practices to employees and how to identify and acknowledge threats to an organization going forward. Contrary to widespread belief, there are plenty of cyber-attacks and data breaches that stem from user errors and common mistakes, especially phishing scams.
Phishing is a common fraudulent tactic where an outside threat actor pretends to be someone from a reputable organization to reveal and extract personal information. The most common medium for phishing to occur is email, and there are three main kinds of email phishing:
- Standard email phishing: A threat actor only has a fraudulent email address
- Spear phishing: A threat actor not only has a fraudulent email address, but also has false information within the email (such as job title, place of employment, specific information tailored to individual) to further sell the scheme.
- Whaling: A threat actor pretends to be someone from the home organization to extract personal information.
However, email is not the only way in which phishing can occur, phishing can also happen via phone call, text message, or even social media. As a good rule of thumb, always double check the address or account of the person seeking the information and when in doubt, just reach out to the individual through a different medium such as calling via cellphone.
Password Security (also known as password strength) refers to how secure a password is and how easily it can be brute forced. Passwords have been a great way to protect data from unauthorized access, but over time, bad threat actors have figured out how to crack them. A brute force attack is an attack that utilizes software that guesses every character type for each character entry in the password. Since the introduction of brute force attacks, there have since been new guidelines on how to make a password more difficult to guess.
First, it is recommended that a password be at least 12 characters long, since the longer the password, the more character entries that the brute forcing software must deal with and solve. Next, avoid using strings (like ‘1234’ or common dictionary words) since new brute force software can solve multiple character entries at once by using strings and phrases. A great way to break up strings and long phrases is by utilizing special characters such as ‘!@#$%^_’. Incorporating special characters into a password not only helps break up character strings, but also increases the number of characters that the brute force software must check against, which makes the password more secure. Lastly, try and incorporate some randomness when creating a password, since the more random it is, the more difficult it will be for any program or human threat actor to guess it.
Protecting of PII
Protection of Personally Identifiable Information (PII) is the idea that any sort of personal information must be protected. Personal information is classified as information that can personally identify someone (such as full name, social security number, address, etc.). If compromised, not only can this harm the individual, but it can also be used to falsify an identity and even compromise the organization. With that in mind, what can someone do besides have secure passwords and basic phishing detection skills?
On the password side of things, a solid way to reinforce a password is by implementing multi-factor authentication (MFA), which is a way of authenticating the identity of a user through multiple verifying procedures. This could be anything from sending verification through another device, to verifying location, or even voice identification in some advanced instances. If the password is breached, the likelihood that the attacker will be able to bypass MFA is slim.
When it comes to an individual user, it is important that they practice cyber security hygiene. Cyber security hygiene refers to general practices a user can adopt to promote their security online. Some basic cyber security hygiene practices are as follows:
- Be cautious when opening links that stem from outside the organization
- Always apply the latest patches to hardware and software to patch vulnerabilities
- If possible, avoid visiting malicious websites that are not approved by the system administrator
Despite security awareness being a hot topic in today’s landscape, there are still numerous data breaches and cyber-attacks occurring regularly. This is because no matter what policies an organization decides to implement, it all boils down to how an organization decides to train its employees. While it is common for employees to scoff at training that they deem unnecessary, it is important to emphasize just how severe and detrimental just one mistake can have on the entire organization.
It is important that users are tested on their knowledge so they can demonstrate common security awareness practices. For example, if a user watches a five-minute video with a blatantly obvious example of phishing, then they might walk away without any ability to identify a serious and well-crafted phishing scam. However, if that same video had a few different examples of what phishing could look like and how to spot it, in addition to having a short quiz at the end, then perhaps that same user could walk away with new knowledge on how to properly identify a phishing scam.
Ultimately, security awareness in the workplace is nothing to be neglected and can make all the difference. As threat actors get more creative in their tactics, it is vital that organizations place a higher emphasis on security. Through implementing phishing, secure passwords, and protection of PII policies, an organization can ensure its shielding against modern cyber security attacks.