As security professionals, we are conditioned by consistent exposure to adversarial simulation training. This immersive form of education allows us to develop and maintain a secure environment outside of the workplace, as well as in it. This begs the question, could a bank teller do the same if given some basic exposure to this training? What about a C-level executive? Approaching the question from a broader perspective, could the average individual identify and protect themselves against an attacker? Expert Chris Hadnagy advises us, “Unless you’re in the security business or law enforcement, you won’t be familiar with every new scam that pops up. But you can still reduce your chances of becoming a victim by understanding more deeply how scammers manipulate people, regardless of their specific scheme.”
Regardless of the attack vector, understanding the attacker’s methods when eliciting information could decrease your chances of becoming a victim. You see, manipulation is just one tool in an attacker’s seemingly endless toolbox. Protecting yourself from each tool can be as simple as owning your role in security, developing a deeper understanding of the existing attack vectors, and learning how to shut down or deter a potential attacker. That is why, for this October’s Cybersecurity Awareness Month, we encourage you to Do Your Part #BeCyberSmart! Because whether you are an average worker, a stay-at-home parent, or a C-level executive, you too have a vital role in ensuring that you, your family, and your job remain secure.
Cybersecurity First at Work
Owning your role in cybersecurity can seem cumbersome when approached by someone outside the security industry. However, this first step simply requires you to identify what information or device within their realm of access needs protection.
The Cybersecurity & Infrastructure Security Agency (CISA) recommends these 5 simple tips to increase your cybersecurity at work:
- Treat business information as personal information.
- Don’t make passwords easy to guess.
- Ensure software and security settings are up to date.
- Watch what you post on social media; cybercriminals often use them to gather Personal Identifying Information (PII) and corporate information.
- Remain vigilant. Don’t click on unknown links. Instead, report and delete suspicious emails.
The National Cyber Security Alliance (NCSA) recommends these 8 simple tips for remote workers:
- Think before clicking.
- Lock down your login.
- Connect to a secure network and use a company-issued Virtual Private Network (VPN).
- Keep your personal and corporate devices on separate Wi-Fi networks.
- Keep devices with you at all times or stored in a secure location.
- Limit access to the device you use for work.
- Use company-approved/vetted devices and applications.
- Update your software.
Build a Human Firewall
Securing your work environment requires you to create what is referred to among security professionals as a human firewall. A human firewall is made up of the defenses the target presents to the attacker during a request for information. In use, a human firewall could be an employee who visited the named organization’s direct website instead of clicking on the link received via email. Or an employee who called their HR Department to verify that an emailed request for sensitive information was legitimate. Furthermore, the key to the human firewall’s effectiveness is the human’s ability to “spread the word” or report on suspicious activity.
The verification process, coupled with reporting, is what makes human firewalls a top defense against attackers. Remember, these requests can appear as emails, phone calls, text messages and even impersonation attempts from what you believe to be a reputable source. It is important to apply proper suspicion and your internal verification process to all attack vectors that malicious actors may use to compromise employees.
It’s no surprise that consistency and practice allow security professionals to react effectively when faced with a malicious actor. So, how do we expose employees to practice without compromising the security of the company we’re aiming to protect? The answer is simple; with simulated attacks and subsequent training. Social-Engineer, LLC saw an almost 350% increase in recognition of phishing emails when using a similar training platform in 2020. It is to these carefully crafted campaigns that Social-Engineer, LLC can attribute their success. These campaigns are heavily reliant on teachable moments designed to build muscle memory in preparation for the real attacks. These managed services coupled with their commitment to “leave them better for having met us”, ensures employees do their part not once but always.
Cybersecurity First at Home
In today’s world, whether you are on the go, at home, or at work, personal devices play a huge role in daily activity. In fact, the IoT market was due to reach 31 billion connected devices in 2020 and is estimated to reach 75 billion IoT devices by 2025.
It speaks to reason that, to #BeCyberSmart at home, we’d need to account for this increase in connectivity by applying basic security practices to all connected devices. Typically, corporate networks are equipped with firewalls, a Chief Security Officer (CSO), and a whole cybersecurity department to keep them safe. It is for this reason that CISA recommends we take a page out of the company playbook. Next time you’re considering home network safety, appoint an in-home Chief Security Officer to monitor security settings on all devices, ensure protective software is up to date, and above all, ensure everyone in the family is connecting carefully.
Know Your Device
Accessibility and convenience are at our fingertips with each connected device we add to the home. Unfortunately, with accessibility comes vulnerability. Most consumers don’t realize that your device is connected to millions of other computers once it’s connected to Wi-Fi. Nor that attackers will use an insecure network connection as a means to access your device remotely. Don’t let them; preventing an attacker from access requires researching a device or online product prior to purchase. So, remember, know your device. When investing in a new product to streamline your life, research the product’s security features, recent privacy/security concerns, and reviews of the product prior to purchase. This way, you may reap the benefits of the interconnected world without risking the privacy and security of your home.
Privacy and Security Settings
Ensuring the security of your home is no small feat. Start by changing default passwords and the privacy/security settings on all devices.
An ideal time to configure these privacy/security settings on your device is when the device is first turned on. Some smart devices even prompt consumers to configure privacy and security settings when activating a device for the first time. However, if your device doesn’t prompt you or you are altering the settings after the device has been in use, do not skip this. Do not allow the device to configure to a default setting. Instead, ensure you take a moment to configure privacy and security settings to your comfort level. Furthermore, secure your online accounts with long, unique passphrases and a multi-factor authentication system (MFA) wherever applicable. Because whether you are a stay-at-home parent or a college student during the recent COVID-19 pandemic, the responsibility to build a cyber-secure home falls on you.
Cybersecurity Should Never be an Afterthought
Social-Engineer, LLC said, “From the top leadership to the newest employee, cybersecurity requires the vigilance of everyone to keep data, customers, and capital safe and secure.” We’ve since learned that accountability is required of all looking to be cybersecure,. whether that be at home or at the office. If you are looking to Do Your Part #BeCyberSmart, start by utilizing Social-Engineer’s free educational resources to keep yourself familiar with the latest security practices. And remember, if you are interested in partnering with Social-Engineer to #BeCyberSmart, please contact Social-Engineer, LLC for a personalized quote. Because it is only by working together that we can truly achieve a cybersecure environment.
Sources
https://www.social-engineer.com/social-engineer-team/christopher-hadnagy/
https://staysafeonline.org/wp-content/uploads/2020/04/Own-Your-Role-in-Cybersecurity_-Start-with-the-Basics-.pdf
https://www.social-engineer.org/framework/attack-vectors/
https://staysafeonline.org/cybersecurity-awareness-month/theme/
https://staysafeonline.org/
https://www.cisa.gov/sites/default/files/publications/NCSAM_WorkSecure_2020.pdf
https://staysafeonline.org/wp-content/uploads/2020/03/NCSA-Remote-Working-Tipsheet.pdf
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.org/framework/attack-vectors/smishing/
https://www.social-engineer.org/framework/attack-vectors/impersonation/
https://www.nist.gov/video/what-internet-things-iot-and-how-can-we-secure-it
https://www.prnewswire.com/news-releases/the-world-will-store-200-zettabytes-of-data-by-2025-301072627.html
https://us-cert.cisa.gov/ncas/tips/ST04-003
https://us-cert.cisa.gov/ncas/tips/ST04-006
https://us-cert.cisa.gov/ncas/tips/ST15-002
https://staysafeonline.org/wp-content/uploads/2020/04/IoT-At-Home_-Cyber-Secure-Your-Smart-Home.pdf
https://www.social-engineer.org/
Images
https://staysafeonline.org/cybersecurity-awareness-month/theme/
https://www.peoplesbanknet.com/creating-a-cyber-secure-home/
Great tips, I work at a small company, we have seen an increase of 4X in cyberattacks in Q4 compared to the same number of days in Q3, we are implementing most of your recommendations and also now we use to factors authorization before login to any of the companies device or account.