Security Awareness Training is more critical now that organisations have sent most of their employees to work from their homes. There has never been a critical time in the history of IT and cyberthreats for organisations to consider security awareness sessions than now. It is been noted that the opportunity for cybercriminals to succeeding in compromising machines of employees working from home has greatly increased.
Organisations have solid security infrastructure and monitoring measures in place to protect employee devices but, once employees leave this environment the controls in their homes are a bit more relaxed making them an attractive target for cyber criminals.
So why should organisations conduct security awareness programs:
- Social engineering: is the manipulation of people into performing actions or divulging confidential information. Similar to a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems. Social Engineering can occur in person, over the phone, in emails, or fake web pages. Examples may include:
- Email Phishing attacks have been on the increase as cyber criminals have take advantage of the current prevailing Covid-19 situation. Starting in early January 2020, there has been an increase in emails carrying messages with Covid-19 theme which hackers are using to trick users. The emails are carrying malicious images, file attachments and links which when clicked or opened may result in loss of credentials, data or been held at ransom (ransomware). In order to avoid such phishing schemes:
- Do not open email attachments unless you are expecting the email with the attachment and you trust the sender.
- Do not click on links in emails unless you are absolutely sure of their validity.
- Only visit and/or download software from web pages you trust.
During this period, it is been noted that individuals are spending more time on their mobile devices than before. Cybercriminals are talking advantage of this uptake which has an shown increased of attacks in:
- Sms phishing which involves receiving messages from unknown numbers urging you to reply or send money to a number of which if you do it would alert the scammers that you number is active and worth targeting.
- Voice Phishing (vishing) involving a scammer who might be calling pretending to be from your bank or Mobile Network Operator (MNO) asking for your security details and PIN number.
You may note that there has been an increase in online banking, shopping and doing business and this is all favoring the bad guys.
Some basic tips to avoid the above attacks would include:
- Do not reply to messages which are asking for your personal identifiable information (PII) or messages asking you to send money on another different number.
- Your Bank or MNO will never ask for your PIN, so do not give it to anyone who asks you to.
- If you receive unexpected call from the bank, MNO or anyone tell them you call them back before giving any security details.
- Security is the last thing on the mind of an employee working from home. Most employees are probably working from home for the first time and organisation security is the last thing on their mind as they try to balance between helping their kids with school work and attending to work tasks. The main focus is learning to work with the new digital workplace platforms at there make-shift desks.
- Patches and anti-viruses: Remote users are rarely interested in knowing if there machines are patched with the latest security updates or if the anti-virus is update, there concern is meeting the deadlines. If they are not given basic knowledge on how to check the status of the updates and anti-virus they will be venerable to cybercriminals as they will not be protected to new attacks and in the end put the organisation at risk.
Remember at some point the remote user will come to the office and if their machine is infected with a malicious software, once they connect to the corporate network, the malware may propagate on the network and infect other machines which could be missing updates and anti-virus.
Now more than ever, organisation need to embrace that they need to not just work differently during this Covid-19 pandemic which have lead to have remote employees, but also need to secure differently by putting some of the responsibility onto the user and use them as there last line of defense of the organization’s defensive strategy against cybercriminals.
Security awareness programs are good at educating the users on the importance of having them participate in the organisation’s security.
Security in an organisation and its cyber defense is majorly dependent on the weakest link and in the People-Process-Technology triad, the weakest link is the People of an organization. 85% of security reports indicate that the biggest threat to endpoint security is the negligence among employees to adhere to defined security practices.
“Be safe, Stay home if you can, and as an organisation send as many security tips as possible to your employees to keep them cyber-security aware and be cyber security alert as an individual.”