One of IT’s most critical roles is to secure company data and assets by protecting end users from their own mistakes. Email filters, malware protection and firewalls are key aspects of end-user security, but some of the most significant vulnerabilities come from users themselves.
There isn’t always a software fix for user-caused security issues. For example, users can accidentally give away login credentials through phishing attacks or allow hackers to access their desktops by joining an insecure network.
For certain security threats, the best option is to train users to avoid risky behavior in the first place. IT must find the right topics to cover and the best methods to execute end-user security training sessions.
Social engineering attacks and phishing
Social engineering attacks — hacking attacks that rely on users bypassing security protocols — are perhaps the most crucial security issue that IT must rely on users to police. Attackers use email, social media and other communication channels to reach out to users. Social engineering attacks via email are known as phishing and are a common threat. The goal of phishing attacks is to direct users to click on external links that prompt them for login information or request that they download an email attachment.
In some cases, attackers identify specific users and tailor an attack to them directly. This could be due to a particular user being susceptible to falling for the phishing attempt, or it could be because the user has access to valuable data and resources. The latter method is known as whaling phishing, and it is the reason that executives are major social engineering attack targets.
One of the best methods to teach users about phishing security is to run your own internal phishing campaign and see how each user handles the email. IT must start by passing this idea on to management and HR to ensure they have the proper support for the campaign. Management must ensure that the organization is ready to handle an influx of phishing reports.
When IT pros design the phishing email, they should mimic the tactics that typical attackers use. These include email designed to look like they are from another employee at the organization, a reputable outside company that users might be familiar with, such as Dropbox, or outside connections, such as friends and family. The test email should also try to coax as much information out of the users as possible to identify employees that are particularly susceptible to social engineering attacks.
Once IT pros send the email, they should track who falls for it and how much sensitive information they divulge. IT pros should communicate that they ran a phishing test and share the results via a meeting or an email. They should meet with users who gave away crucial personal or organizational secrets to ensure that they don’t repeat this mistake.
Other security threats for end users
One common user behavior that hackers can exploit is weak password choices. Users often blend personal passwords with professional passwords, so if attackers determine login credentials for one account, they can apply that same password to the user’s other accounts. IT can implement policies, such as mandatory password refreshes, every three to six months, but users can keep a similar password and simply change the capitalization pattern, leaving their accounts vulnerable.
Another issue that is typically, but not exclusively, common on mobile devices is users that download malicious applications. Attackers can trick users into downloading malicious applications disguised as helpful apps that give attackers access to their devices. Some organizations have a system to block dangerous applications, including blacklisting and whitelisting, but any organization that lacks such tools must rely on users to avoid this issue.
Internal phishing tests are easy to track and provide concrete results, but malware downloads, weak passwords and other end-user security issues don’t fit as well with a test campaign. It requires more effort to deploy fake malware and hope users find it online, so IT should take a more traditional approach to these security issues.
This approach could involve meetings, email or whichever method an organization considers the best fit for its users. If management believes users will take the time to carefully read an email on end-user security best practices, then an email will suffice. If not, a meeting may be the better option. Regardless of which method an organization chooses, the communication between IT and end users should be consistent and not a one-off occurrence. IT should keep users up to date with the latest malware trends and hacking tactics.