When hackers succeed, it’s often because they target unsuspecting users. They know users are busy, trusting, or distracted, and as a result, let their guard down when a suspicious email lands in their inbox or they chance upon a sketchy-looking website. Most cybersecurity incidents involve some type of user activity, be it clicking an infected attachment, visiting a compromised website, making passwords too easy to crack, misconfiguring a system or even sharing a computing device.
Usually, activity resulting in cybersecurity breaches is not malicious. Often it’s just careless. A full 84% of business leaders say they’ve experienced a breach caused by user error. Examples of such breaches in recent years include:
Through social engineering, the credentials of an insurance company’s administrator were stolen to break into a database containing employee and customer data such as names, addresses, Social Security numbers, and income data.
Hackers broke into a bank’s servers after administrators forgot to implement two-step verification to access one of the bank’s systems.
Cybercriminals used a third-party vendor’s stolen username and password to break into a retailer’s systems and steal millions of credit card numbers.
Such incidents are the reason users are often referred to as the “weakest link” in IT security. But they don’t have to be. Instead, businesses can turn their employees into their first line of defense by educating them about cybersecurity threats, promoting safe computing practices and implementing well-crafted policies to protect data. A focus on the “human element” of cybersecurity is more than a good idea; it’s an absolute necessity to help prevent cyberattacks. It takes only one bad decision by one user for a ransomware infection or some other malware attack to disrupt your operations for hours or days.
Education is key to addressing the human element of cybersecurity. Raising user awareness of cyber dangers should be a priority for all businesses. Cybersecurity training is most effective as an ongoing effort, ideally combining in-person sessions, online courses, and awareness campaigns with email reminders and posters.
Topics to cover should include the following:
Identify and avoid suspicious emails. This will help users avoid phishing attempts with URLs or attachments programmed to download malware into your network.
Set and enforce strong password policies. Teach users to come up with strong passwords or passphrases, enforce policies to change passwords frequently and prohibit password sharing.
Set browsers to warn users when visiting a site that has been flagged as containing malware.
Block downloads from suspicious or unsanctioned sources.
Prohibit users from sharing company-owned laptops and mobile devices.
Teach users not to access sensitive company data through public WiFi networks.
Technology alone cannot guarantee the security of a company’s data. User education must be supported by common sense policies. If you train users and do nothing to enforce security rules, chances are users will fall back on bad habits that can lead to a breach.
Security policies are multidimensional. Password policies are a good starting point, but businesses also need to address who gets access to which systems. Employees should be granted permissions only to those systems they need to do their jobs. Businesses also need rules on whether employees are allowed to use their own mobile devices at work (BYOD). If so, those devices need to be monitored, secured with endpoint protection, encryption and — in case of loss or theft — wipe capability. Mobile devices also should be containerized to keep company data separate from personal files. When employees leave the company, take immediate steps to disable access to company systems, make sure all company-owned devices are returned, disable the employee’s email address, and change passwords to sensitive company assets for which the employee had privileges. All of these steps seem obvious, but businesses often neglect them.
End users are often the weak points that enable cybersecurity breaches, but educating your people is only part of the battle. Understanding the threats and what cybercriminals are after is essential to building strong cybersecurity defenses. If you know your enemies, you have a better chance to defeat them. In addition to user education, here are some other essential components of a comprehensive cybersecurity strategy that will grow with you:
Implement advanced tools: Businesses need tools that deliver endpoint protection, scan for breaches, secure the network through firewalls and other methods, and perform threat analysis to keep their data safe. Cloud-based platforms that address multiple security layers typically are the easiest, most affordable path to cybersecurity for small businesses.
Invest in expertise: It’s hard to have a full grasp of cybersecurity without expert help. For smaller companies, working with a managed security services provider (MSSP) is the best bet, though even businesses with in-house experts can benefit from tapping a provider.
Secure mobile devices: As computing becomes more mobile and cloud-based, companies must include mobile devices in their security strategies or risk leaving a door open to cyberattackers.
To effectively ward off the ever-changing raft of security threats, you need a comprehensive strategy that unites user education, common-sense policies, and a robust protective technology layer.
Whether it’s costly malware, ransomware, bots, or a phishing attempt, small businesses need to implement cybersecurity measures that include anti-virus programs, firewalls, and network security solutions that proactively help protect all devices connected to your network. See how Comcast Business SecurityEdge™ can help protect the Internet-connected devices that employees and guests use every day.