As you may have heard, October is National Cyber Security Awareness Month. Vendors, security practitioners and regulatory agencies alike are producing a veritable treasure trove of infographics, ebooks and articles all detailing how to avoid getting pwned. Here at OpenDNS, we turned to Tom Hash, our Director of Security Engineering, for a few tips to help beleaguered IT admins keep users safe:
Updates and patches are your friends:
You know that patching and updates are essential—but your users may see them only as annoyances, to be put off until “later”. Given the recent spike in widespread vulnerabilities (Heartbleed, Shellshock, etc.), applying updates and patches in a timely fashion is more critical than ever, whether for your OS or any other applications. Quantifying the impact of these disclosures in easy-to-understand language will help convince users to take action, but if they aren’t swayed by the severity of vulnerabilities, you may want to push updates and patches yourself.
Give users straightforward, easy to understand rules. For example: don’t click on unfamiliar links:
Technology can be overwhelming—even for experienced users. Combine that with natural stress from the office and it’s easy to see how even astute workers may not always remember every rule, for example, not sharing confidential information via office chat clients. Keep IT rules straight to the point and bite-sized so that people can easily remember them. If you need a starting point, try our ten point list of top tips for users to stay safe online.
Help them help you:
Knowledge is power and by arming your users to fight against threats on their own, you’ll make your life a lot easier. Taking steps such as making sure two-factor authentication is enabled, or a password manager is installed can make a huge difference. Also, train your users to seek answers on their own by running suspicious URLs through VirusTotal, or questioning the legitimacy of attachments. These are basic practices that they can easily learn. You may want to develop training specific to your environment to make sure your users are equipped to deal with the most common infection vectors they might encounter, for example, focusing on attachments as a finance firm.
Change the channel, not the message:
Not everyone reads emails from IT on a regular basis. For some, information might not sink in unless they see it in a powerpoint, or hear it straight from you. As an IT professional, there are several ways you can get your message across, whether that’s in-person training, email digests, or one-on-one tutorial sessions. You may even want to work in a practical exercise with something like phishme, to prove that these threats are very real, and sometimes difficult to spot.
It’s not always the easiest thing to do, but by making sure your message is getting through by any means necessary, you’re creating a culture of security awareness that will benefit your organization for years to come.
Assume the worst, hope for the best:
Even by following these tips, the reality is that your security is only as strong as the weakest link, which in most cases is probably your users. So while you can maintain a positive outlook on the effects of patching, update and education, realize that you are still vulnerable, and prepare for the worst.
You can do this by building a multi-faceted security program with several layers of protection (one such layer being Umbrella by OpenDNS). No one solution is a silver bullet, so having multiple layers of protection is key.
Practicing good security is mostly about awareness, and people want to do the right thing. Unfortunately, human nature dictates that that doesn’t always happen, but if you’re prepared, you can mitigate the damage if a situation does occur.