Educating Employees Reduces Security Breaches
June 23, 2008
Employee behavior on the Web can make or break your network security. Teaching employees what to look for is the first step.
The biggest threat to your company's network security isn't some mysterious hacker crafting digital attacks from halfway around the world. Nope. It's Dan in sales or Michelle in accounts receivable. Employees are by far the most common, if inadvertent, conduits malware takes to breach security defenses and wreak havoc on your network.
Chris Winn, strategic security adviser at Microsoft, walked us through a short history of how employee behavior affects business networks. It began when workers started clicking on e-mail attachments. "E-mail is the primary vector into a company network," said Winn. "Initially, hackers did this to slow down a network or to bring down the network altogether."
Over time, the hacker's motivation moved from merely disruptive to a moneymaking venture. The technology changed too, with the proliferation of USB thumb drives a device that provided quick and simple way to steal data from a PC.
According to December 2007 Microsoft Security Intelligence Report, the number of trojan downloaders and droppers (i.e., forms of malware) increased by 300 percent in the second half of 2007. Winn also said the report found that malicious software is the tool-of-choice criminals use for targeting computers.
With the increase in mobile workers, the thumb drive has become popular data-theft device in public places such as coffee shops. "You go into the shop and turn on your laptop to check your e-mail," said Winn. "Then you go stand in line to get your coffee. While you're distracted, someone pops a thumb drive into your laptop and you're none the wiser."
Being from Microsoft, Winn naturally pointed out a feature within Vista that addresses this particular issue. "Vista added controls that let you prohibit the unauthorized use of USB drives," he said. "A short process lets you register an unlimited number of individual drives for use on a given PC. However, the computer will not recognize an unregistered thumb drive."
Phishing schemes are another prevalent scam that hackers use to gain personal data and financial information. What you and your employees may not know, said Winn, is that phishing is cyclical.
"You'll see a dramatic increase in phishing e-mail around the holidays," said Winn. "These e-mails look like they're from your bank, PayPal or EBay for example. They typically ask you to click on a link in the e-mail, which then takes you to a Web page where you're supposed to "update" your username, password and other personal information."
Training your employees about the nature of phishing, what to look for and, above all, not to click on links within e-mail, helps keep your company's critical data and your employees' personal data out of the hands of criminals.
Winn recommends the phishing filters found in Web browsers or as part of third-party security software applications. Filters work by accessing a black list of known phishing sites. As you browse from one site to another, the filter will tell you whether any given site is safe or not. For example, the address bar in the Internet Explorer 7 browser will flash red if the site is on the blacklist.
Winn said that Microsoft has been working with partners for the past two years on the Extended Validation Certificate, which he said, is registered with VeriSign and provides a level of authenticity. "On a site with the certificate, the browser bar turns green ‑ the highest level of assurance, which is helpful especially when you're making transactions online," Winn said.
The program has been active for just one year, and Winn said it would take time for it to catch on with e-commerce sites.
Winn offered other recommendations to improve your network security.
- Educate yourself about the types of threats out there, and then educate your employees about how their actions can enhance or jeopardize network security.
- Look at security as a whole: look closely at how you protect your existing infrastructure including servers, desktops, notebooks and handheld mobile devices.
- Be sure to have full malware protection that includes antvirus, antispyware and antiphishing software (typically available as a full suite form a variety of security vendors.
- If you have remote employees make sure their notebooks, desktops and mobile devices meet your security requirements. Do you let them use their home computers to access the network over a VPN? That could infect your entire network.
- Microsoft's Network Access Protection or NAP (or Cisco's similar NAC technology): This layer of security scans any device attempting to access your network. If the device does not meet security standards (the antivirus software is out of date, for example), it's not allowed access and can be quarantined until it meets the standard.
Lauren Simonds is the managing editor of SmallBusinessComputing.com
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|