This issue of the Advisor provides you with valuable training information about Internet security, why it’s important, and what employees can do to ensure it.
If your employees use the Internet on your computers or mobile devices, you should be concerned with the findings reported in Symantec’s Internet Security Threat Report, Vol. 16, which includes nuggets like “the volume of Web-based attacks per day increased by 93 percent in 2010 compared to 2009.” The report also notes the rising trends of attacks through social networks and on mobile devices.
While this report is from a few years ago, you know the situation has gotten even worse, with the 2015 report including such new concerns as “ransomware attacks” and attacks on the “Internet of Things devices.” You can access the 2015 report here http://know.symantec.com/LP=1123.
The Dangers
What’s still true from the 2010 report, however, is that it takes only one user to wreak havoc on your whole system: “In most cases, a successful compromise only requires victimizing a user with access to just limited network or administrative resources. A single negligent user or unpatched computer is enough to give attackers a beachhead into an organization from which to mount additional attacks on the enterprise from within, often using the credentials of the compromised user.”
The 2010 report also highlighted another practice called “spear-phishing” (the sharper, focused cousin to plain old “phishing”). Attackers use information easily found on places like social networks and company websites to target a company, stealing sensitive data on customers and employees. The report gives this example of spear-phishing:
[M]any people list employment details in their profiles, such as the company they work for, the department they work in, other colleagues with profiles, and so on. While this information might seem harmless enough to divulge, it is often a simple task for an attacker to discover a company’s e-mail address protocol (e.g., firstname.lastname@company.com) and, armed with this information along with any other personal information exposed on the victim’s profile, create a convincing ruse to dupe the victim.
Think you have no time to train? Think again. BLR’s 7-Minute Safety Trainer helps you fulfill key OSHA-required training tasks in as little as 7 minutes. Try it at no cost and see!
What Employees Need to Know
Employees need to know that it’s not just your systems, information, and equipment that’s at risk —their personal information is being targeted, too. The Symantec report notes that attackers are often after personal bank account data, passwords, and other information that can be used to steal someone’s identity. In fact, employees should be aware that the most dangerous trend on mobile devices targets online shopping and banking information that make their bank and credit accounts vulnerable.
Here are some training tips from Symantec’s report to help your employees protect your equipment, systems, and sensitive information as well as their own:
Avoid visiting unknown websites to protect against all Web-based attacks.
Download applications only from regulated marketplaces since the most malicious code for mobile devices consists of Trojans that pose as legitimate applications. Checking the comments for applications can also indicate if other users have already noticed suspicious activity from installed applications.
Don’t rely only on strange e-mail addresses, bad grammar, and obviously malicious links to reveal a possible attack.
Beware of shortened URLs (uniform resource locators) that pop up in a friend’s news feed on social networks. They hide the actual destination of the link and are a favorite for attackers trying to get you to visit malicious websites. With the rise of Twitter, however, the use of URL shorteners, such as tinyurl.com, bitly.com and goo.gl has become more common and legitimate. Still, it’s good to be cautious.
Beware of the information you give out on surveys and quizzes on social networks. While some focus on generic details (shopping tastes, etc.), they may also ask the user to provide details such as his or her elementary school name, pets’ names, mother’s maiden name, and other questions that, not coincidentally, are frequently used by many applications as forgotten password reminders.
Monitor the security settings of your profiles on social network sites as often as possible, especially because many settings are automatically set to share a lot of potentially exploitable information, and it is up to users to restrict access themselves.
Effective 7-minute sessions provide comprehensive safety training at an average cost of $1 a day. Get the details.
In tomorrow’s Advisor, we’ll hear from a legal expert on what malware is, how hackers use it, and what employees can do to avoid it.