Not a day goes by without someone – a client, friend, or complete stranger! – asking me what they can do to strengthen their organization’s security posture. While the question is difficult to answer without the performance of a formal inquiry, review, or testing of the entity, I can almost always predict the organizational security weak link: your team.
To be fair, this is not because your team is full of bad employees, but rather, it’s that they are human and have free will. The Oxford Dictionary defines free will as “The power of acting without the constraint of necessity or fate; the ability to act at one’s own discretion.” That definition should scare anyone in security.
Here’s your handout: the two areas every organization should implement are Security Awareness Training and Dual Factor Authentication – both for email and remote access into the organization.
Security Awareness Training
Security Awareness Training must be both formal and informal. A set of security guidelines must be prepared and reviewed at least annually with all employees – signoff on these should be mandatory. “All employees” means all employees; your job title will not prevent a security breach.
Further, specifically for the person or department in charge of security in your organization, the security awareness training does not end there. This effort is an ongoing battle day-to-day to keep employees informed of current and present danger so they can be empowered to make the right decisions. Employees can be kept informed through alerts sent via emails, intranet posts, video, or texts. Use your imagination – there is no right or wrong way to keep employees informed. What’s important is that there is an active security dialogue that keeps everyone prepared to prevent a potential breach.
Security Awareness Training is necessary, but how can you measure the effectiveness that your training is having on your employees? What is the risk your current employees pose to the organization? How susceptible are they to the various types of phishing attacks? If your team doesn’t understand the security risk employees pose to the organization, they can’t begin to successfully defend and mitigate against those risks.
One way to get a baseline of your employee security risk is by using a third-party product to phish your employees. Don’t use the canned emails that everyone expects, but create phishing emails from high-level employees within the organization to see if employees can identify phishing emails. Are your employees looking for slightly different email addresses and correctly formatted emails? Are they clicking on links or attachments that they weren’t expecting? Are they following up with an email sender via another means of contact other than email to verify the email is good? Phishing employees could prevent a breach that closes your organization for good.
Dual Factor Authentication
Dual factor authentication for email and remote access is another area that every organization needs to implement to strengthen their security posture. In the preceding paragraph, I outlined what you should do to strengthen your security awareness training and gauge your employee risk. No employee is perfect, and we all make mistakes. Is the employee that just worked 75 hours that week going to make the right choice when they see an email from “the boss” at 6pm on a Friday? They just want to go home! If they click on the link or attachment and enter their username and password in order to get the important message or download the attachment from “the boss” they just have given up their credentials, granting potential access to the network from an external party. In the meantime, the employee goes home after a long week while an attacker uses their credentials to breach the organization’s network for the weekend or send emails to all of the employee’s contacts.
Dual factor is extra insurance that if an employee does give up their credentials an attacker will be unable to use the credentials alone to do anything. As its name implies, “dual factor authentication” requires a password and an alternate form of verification. This verification could be a token, biometric scan, a text with a separate passcode, or even an app on your iPhone.
These are two areas that are critical for every organization to maintain a positive security posture. While there is certainly a lot more to crafting and maintaining your team’s security posture, these two areas are nonnegotiable.
If your organization would like to discuss any security related topics further, please email me, David Hammarberg, Principal and Cybersecurity Services Practice Leader with McKonly & Asbury at email@example.com.
About the Author
David is a Partner with McKonly & Asbury. He has been an integral part of our firm for over 20 years, serving our clients in a variety of information technology and accounting capacities. David’s expertise and service focus areas inclu… Read more