October is “National Cyber Security Awareness Month” (NCSAM) and to honor the spirit of awareness and education I recently sat down with Colette L’Heureux-Stevens who works on CO-OP’s Information Security team to discuss simple and easy-to-scale best practices to bolster security for credit union organizations of any size.
This discussion is incredibly important as more and more companies, like Facebook, fall prey to social engineers and hackers who take advantage of the value in stolen information. The following conversation reveals plenty of great ideas but it also reveals a common theme: We are all only as strong as our employees and the actions that they take to preserve our information security. I hope it motivates you to put a small plan into action to observe NCSAM across your organization.
What are the top three things that employees do that lead to security vulnerabilities?
- Clicking on email links without verifying who they came from and where they are going frequently leaves the enterprise at risk of potential damage from viruses, ransomware or key logging malware. Socializing “think before you click” with employees is truly meaningful here and often the most powerful tool for protecting corporate information.
- Sending email without ensuring that all confidential and internal use-only information has been removed.
- Many security issues begin with untested software bugs. The U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software so it is incredibly important to test for all of the latest vulnerabilities to avoid potential disaster.
How do we change employee behavior to be safer and more responsive without spending lots of time and money?
Changing employees’ behavior comes down to training and awareness. Sometimes the simplest methodology works best. Monthly phishing simulations can be an excellent way to increase employee awareness of the dangers of responding to potential phishing emails. Other great ideas to motivate employees and maximize on stronger security habits can be security awareness posters, informal “lunch and learn” events and annual training for all levels of employees within the organization. These initiatives do not have to be led by an Info Security expert if you don’t happen to have one. Well-informed employees can easily facilitate training if they are prepared and interested in the topics at hand.
Is it ever too late to alert someone about a potential computer virus or malware? Is it ok to wait and see if your PC is infected before you report a suspected incident?
No, it is never too late to notify the appropriate person. The best approach is to launch an anti-virus scan on your PC and report the issue to ensure that a qualified practitioner is available to help you should you require it. Unusual emails that seem to stress urgency in your response or present threatening language should always be reported immediately.
Should credit unions test their workforce with simulations of phishing emails to see how employees respond?
How a credit union chooses to educate, test and reinforce awareness with their employees is based on the culture of the organization. If you are considering conducting a phishing simulation, it is best to be transparent with your employees so they can see the importance of why you are testing them. Don’t forget to share the results of the exercise in a timely fashion so that the workforce can improve the next time you conduct a test.
How do you interpret and measure future success from a phishing simulation?
Use the results to measure not only improvement in awareness but also to recognize what type of phishing emails employees are the most likely to fall for and present additional training on those topics.
Are there vendors out there who specialize in anti-phishing services?
There are several different companies that specialize in Phishing tests. Credit unions should evaluate multiple vendors to see what will work for the culture of their organization and what their budget can afford. (Feel free to contact us if you need help choosing one.)
We referred earlier to “lunch and learns” as a best practice in educating the work force. What exactly are these events and how can they benefit organizations that are motivated to be more secure and informed?
Lunch and learns are brief (one hour or less) informative meetings or training sessions conducted in-person or via web or conference call depending on the needs of the organization. These informal sessions are conversational and meant to be an eye-opener on a variety of topics – not just security. Sometimes it can also be beneficial to invite someone from outside the organization to be your expert presenter.
What’s the most important thing employees forget to do when using a corporate device like a laptop or mobile phone? Do you have some smart user tips?
- Passwords and anti-virus software are commonly skipped on personal phones. Installing anti-virus protection and keeping it up to date on your cellphone is definitely a recommendation.
- Corporate devices are typically governed and maintained by the technology department but it’s important to always be aware of your corporate polices and adhere to them at all times.
- Locking and properly securing phones and laptops is always essential. Mobile devices need to have locking, password-protected screens and laptops should be locked away in a secure storage area whenever they are not in use.
Is it ever ok to skip the virtual private network (VPN) login to browse the web on a corporate device? What’s the risk?
It is never a good idea to use your corporate laptop remotely without logging into the VPN first. The company VPN is used to protect information and assets. This tool is specifically designed to ensure that all incoming and outgoing information from the computer is encrypted and protected from being intercepted or used by people who do not have the right or need to see the information.
If a user accidentally introduces a virus to a laptop what steps are essential in protecting the laptop and the information stored on it?
The most critical and immediate action is to alert the proper contacts within the organization who handle information security.
If you are a frequent traveler for business you may even want to locate and print the correct contact numbers and email addresses that you will need in the event your laptop is infected with a virus.
IMPORTANT: Do not use the infected device to send emails to prevent spreading the potential virus further into your organization.
Do you have to be a large credit union in order to form an Information Security Committee?
Every company should have some form of collaborative group that shares information and guides the organization on information security awareness. If the company is small and does not have a dedicated Information Security Team it should not stop them from gathering individuals from across the company including representatives from legal, IT and Human resources. Monthly meetings and email distribution channels are excellent ways to increase your InfoSec footprint.
The next time I receive an email that contains a file attachment what should I do to avoid being “that guy” who introduces ransomware and viruses company-wide?
The first and best action you can take is to just delete any suspicious emails. If the email appears to come from inside the company but you don’t recognize the sender, use the company email address book to verify the sender is an employee and reach out to them via alternate means (chat messenger or phone) to verify the email. Lastly, if you do open an email or attachment or clicked on a link that took you somewhere odd, call the service desk immediately.
National Cyber Security Awareness Month is an excellent opportunity to expand your knowledge, safety and security by observing information-sharing opportunities. We’ll be sharing more information on how to bolster cyber security practices at your credit union throughout the month.
Join us on October 18th at 11:00am PST for the next Fraudbuzz Webinar, where we’ll discuss the latest fraud trends and best practices.