Of all the strategies, you use to secure your data and systems, educating and training your users is the most important. People are the most important part of any business. They are also its greatest vulnerability. They can be the victim of a social engineering attack, or cause a loss by accident. In some cases, an insider can purposely misuse or abuse their access to company data for inappropriate uses. According to the Verizon Data Breach Incident Report 78% of people, last year did not click on a phishing attack link. However, 4% of phishing attack targets to click on the link. The bad actors only need to get it right one time to initiate a successful attack, while you and your people need to be right 100% of the time to avoid a successful attack.
The threat is real. What actions can you take to help your people be more secure? A number of strategies you can use to mitigate these risks. Such as education, policies, procedures, and a least privileged environment. The good news is these things are not difficult or expensive to implement, they just take time and planning to be successful.
Education and training are paramount to an effective defense against social engineering attacks and accidental data loss. There are some key considerations when implementing your training plan. First, the training should be mandatory, as every person today interacts with data even if it is only through email. The training should be held on a regular basis to keep skills up to date, quarterly or yearly as time allows. In addition to the regularly scheduled training, a newsletter can highlight the importance of being aware of social engineering attacks.
Next, you should implement policies and procedures for your company. These will cover the ‘what’ and ‘how’ of managing and protecting your data and systems. Everything should be documented for common scenarios, such as failed attacks, incidents, or any other kinds of loss. The idea is to have a plan in place to prevent and recover from typical incidents.
Minimal access and rights should be given to those who need it, which is also referred to as least privilege. Least privilege is the concept that a person or process only has the rights and access to things they need to do their job and nothing else. There are numerous reasons this is a sound methodology.
There are many things you do everyday to protect your systems and data, do not forget the most important element in your company, your people. Through a combination of education, policy, procedures, and least privilege you can help your people be a source of protection not a threat vector for your company.