Editor’s Note: This article was published in 2017 and has been updated for accuracy and comprehensiveness as of October 2020.
Here we are again, talking about security. Specifically, online security. Some of you might be thinking ok, ok, I got it! Security is important! Or, several of you might be buying into some of the myths:
1.) I’m too small for the bad guys to go after, they have bigger fish to fry.
2.) I have nothing worth stealing.
3.) I’m safe because my data is in the “Cloud.”
4.) I am powerless against hackers so why even try? It’s someone else’s job to worry about online security.
Historically, IT administrators and users have been at odds. Users want the power and flexibility to be productive, while administrators are viewed as gatekeepers preventing creativity and the freedom to experiment. The creativity employees bring to the table is also a company’s competitive edge, often leading to higher-quality products, decreased production costs, and faster time to market. In reality, IT administrators are trying to make this process safer, not stop or hinder it.
The reality is we are constantly under attack.
70 percent of attacks target the Small and Medium-Sized Business (SMB) space. This is because attackers know that most small to medium-sized businesses operate on the myths above instead of preparing their network for an attack. As a result, all too often SMB’s are behind on their technical security as well as training their employees on end-user online security.
Cybersecurity takes constant vigilance
Attackers go undetected on a network for an average of 140+ days before a company finds the infection. This is typically because businesses just assume it won’t happen to them and resist investing in cybersecurity services. Now to be clear, security is not a destination. It is a journey of developing good habits. The threat you are defending against today may not be the same one tomorrow. Cyber threats are constantly evolving, which means that defending your network should be a daily practice.
Online security is a war where the users are on the front lines. All of us, personally and professionally, are under constant cyberattack. We need to understand that IT administrators and users are on the same side and battlefield. Your IT administrator is always thinking about what is best for the security of your data, even when end-users can’t see it or make sense of it. End-users often feel the brunt of these changes simply because they are the easiest target in the security chain, and thus the most popular one for hackers.
Because of this, end-user training is an extremely effective and useful area for SMB’s to invest in. Common sense thinking can be as effective against cyber criminals as policy or tools. At SUCCESS Computer Consulting, we subscribe to the Pause, Think, Act methodology.
What is this? Should this have happened?
Why did this happen? Is it safe to proceed?
This is expected and I’m clear to continue.
Something doesn’t seem right and I need to call an IT administrator for help.
This can be as simple as not opening a file emailed to you from a coworker received unexpectedly.
Pause: Wait, I wasn’t expecting this document. This email doesn’t look right.
Think: Why did they send this to me?
Act: I’ll call them first to make sure this is a legitimate email and not a spear-phishing attempt.
A text from your traveling CEO needing to wire money.
Pause: This is unusual.
Think: My CEO is traveling but why do they need money?
Act: I’ll call them first to make sure this is a legitimate text.
The pros agree:
“In the digital world, caution is infinitely more important than timeliness.”
— Mark Lanterman, CTO of Computer Forensic Services
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
— Kevin Mitnick, CEO of Mitnick Security Consulting and author of Ghost and the Wires.
Start forming good online security habits
This simple methodology can have a profound effect. You cannot stop 100 percent of vulnerabilities, but implementing a practice like “Pause, Think, Act” provides end-users a useful tool to question suspicious activity. As with anything, you need to practice and test. Developing a cadence to user education will greatly improve your company’s online security and ability to defend against these targeted cyberattacks.
Again, security is not a destination. What works today may not work tomorrow. The way we win is by implementing a layered defense strategy that includes user’s participation instead of alienating them. Provide your users with a framework like Pause, Think, Act so they feel empowered to question seemingly everyday events and alert IT when something seems off.