AuraQ has vast experience helping organisations find the gaps that can be filled to enhance their business. This could be to improve efficiency, integrate legacy systems or deliver new portals and strategic applications to create competitive advantage. Contact us to request a free, no obligation Gap Analysis.
Security and cyber risk awareness
There is much that companies do to make their systems, networks and data secure. Access controls, firewalls, centralised access control, multi-factor remote session login, network segmentation and much more. Unfortunately people are the weakest link, and the hardest to manage. Protection of core systems is achieved using the latest technology, but it’s significantly harder to guard against employees giving away information on social media or utilising their own less secure devices for business.
People are familiar with dodgy-looking emails purporting to be from a bank and hopefully they are savvy enough to know not to click on any links. The threats now are much more sophisticated, and personal. “Spear phishing” is one method where the attacker uses information obtained from social media to personalise an email to an individual. Seeing your own personal data in the subject of a message means we’re much more likely to open it, including innocent-looking attachments, or even replying to such emails and giving even more way. So what could and should we be doing; company, employee and individual alike?
Protect information from within
Threats to security do not solely come from outside a firm, and they are growing. According to IBM’s X-Force Research in the 2016 Cyber Security Intelligence Index, 60% of all attacks are carried out by insiders, and of these 75% involved malicious intent.
So what can be done? It’s quite simple really:
- All visitors must sign in at reception and be accompanied by an employee whilst on-site;
- Challenge those you do not know to prevent tailgating;
- Keep your personal information secure at all times;
- Always lock your computer when leaving it unattended;
- Always follow a clear desk policy;
- Do not leave your ID badge/tag unattended;
- Isolate and lock filing cabinets or any other device that contain confidential information;
- Shred any sensitive documents after their retention period has expired.
Protect information when out and about
Do not discuss sensitive topics or information in any area which can be overheard by individuals who should not be privy to the details of the conversation.
Be very wary of someone being able to read whatever documents or devices you have open. By “shoulder surfing” someone can see what you’re viewing and inputting. Once on a train, I could clearly see details of the fraud prosecution a firm was going to be pursuing against some of its employees, including their names, addresses and email addresses. And this was by their chief security officer!
Be careful when entering your password to access the firm systems.
Uphold In-Place Safeguards
Always adhere to whatever safeguards your firm has implemented, and do not attempt to circumvent them just to “make life easier”. They are there for a reason.
Ensure that your devices (tablet, laptop, smartphone) have the latest versions of anti-virus, firewall and security patches. Never attempt to disable either the AV solution or the firewall.
Encrypt any data held on any kind of portable media, including any cloud storage. If transmitting any data, whether it is via a wired or wireless connection, only do so over an encrypted connection.
Always use strong passwords which are a combination of letters (of varying case), numbers, special characters, and which cannot be linked to you in any way. Keep your password secret and do not share it with anyone, no matter who they are.
Change your password regularly to something unrelated to your previous password and in accordance with your firm’s security policy. Do not use the same password for all accounts that you use; doing so dramatically increases the risk of your accounts being compromised.
When accessing cloud services, always use a username and password, and never use the same on different services. Do not access cloud services on devices which are not approved by your firm, and only to the extent necessary to allow you to do your job.
Remote working does not necessarily mean working from home. Many of us when we’re at a customer site or staying overnight will be doing some work related tasks. When doing so always ensure that any network connections are from known sources and password protected. Always use a company approved and certified VPN client to ensure the most secure and durable connection possible.
Internet Usage
The resources and information available from the Internet are vast, and of massive value for all everyone, including nefarious individuals. Unfortunately as it is an open platform it has somewhat limited security features which result in significant and widespread security issues.
Anything which is put online is going to be there a long time and therefore you must always be mindful to:
- not make any confidential information public by any method (IM, email, web posting, etc.);
- remember, all your activities including websites visited and any data you enter could be being monitored by third parties;
- do not download anything unless it is approved by your company, or has been certified as coming from a safe source;
- do not view any materials on company equipment that you would not be prepared to show to your manager;
- ensure that a secure protocol is in use when accessing a website to submit confidential information of any sort;
- always report to your company any websites (including partner websites) which look suspicious or ask for unusual information.
Social engineering and why must you be cautious
Social engineering, as defined by Google, is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
With this in mind you have to ask yourself, who is actually contacting you? Is it really my bank, energy provider, telephone company, AV provider? Are they really who they purport to be?
Unless you’re vigilant, so much personal data can be easily gleaned from sites like Facebook and LinkedIn. The area you live, who you work for, in what role, your expertise, who your friends are, what they do, what your passions and hobbies are. The list goes on and on. With these kind of resources available to fraudsters you have to be pro-actively protective.
If you have any doubts about any form of communication, do not divulge anything. Ask for further details so you can validate the source and authenticity of the individual. If it’s company related, discuss your concerns with your manager.
Social media, email and instant messaging
The ease with which it is possible to communicate to the world today is quickly frankly, scary. And once it’s out there, it is very hard to retract. Therefore, before you post anything be sure that:
- it is legal;
- it is not libellous;
- it is not profane;
- it does not contravene copyrights and trademarks;
- it is in line with company policies as to what you can and cannot post, and where;
- it is not company confidential;
- if it is company related, that you are authorised to represent the firm.
Whatever means of communication you use do not attempt to disguise your identity or use someone else’s. If you’re not prepared to stand behind what your post, don’t post it!
If you receive any obscene, offensive or threatening communication, discuss it with your manager. It may well require that the company respond to protect you and the businesses reputation. If it was a personal communiqué, consider talking to the authorities in extreme cases. Remember, do not respond using any form of profanity or terminology not considered politically correct; doing so can cause embarrassment to both the individual and the firm.
Be wary of the content of email and other communications, in particular phishing attacks.
- If an email looks suspicious it probably is, so discard it;
- Be wary of any link in the message; even inoquous ones can be dangerous;
- Look out for unfamiliar links and do not click on them (they can be designed to gather login information or to release malware);
- Do not call any phone numbers provided;
- Do not give out any information.
In conclusion
You should take the time to read and fully understand your company’s information security policies. They include detailed rules related to the storage, access and transfer of data and documents containing confidential data outside of business premises. You may be subject to disciplinary actions if you violate these policies.
Understand the company’s policies governing the access and management of confidential information. If you need to access confidential information, you only should do so on a ‘need-to-know’ basis and with proper security clearance.
Security measures are reviewed on a regular basis, as well as whenever there is a substantial change in business practices that affects information or data. If you discover that a security measure needs improvement or attention, alert your manager.
Related Blogs
Drag