Sustaining a safe work environment is vital for any organisation. Therefore, effective cyber security in the workplace is one of the most necessary precautions to take in today’s technology driven society. When considering a software solution to your training, reporting and recording challenges; security is certainly one thing which should be investigated closely. This article by our Internal IT & Networking Engineer, Jack Beck, outlines the numerous cyber threats organisations and people face and what you can do to keep protected.
What threats do I face?
Cyber security in the workplace is crucial and one of the simplest ways for someone to gain access to your data is by physically getting onto your network inside your building. This is more of a threat for bigger companies where visitors come and go frequently. However, if a hacker can access the VLAN where your servers and work computers sit and run the traffic through a packet sniffer, this can be disastrous as they can intercept all the traffic coming into and leaving your network. This can include looking at usernames and passwords in plain text! Key loggers can also be installed on machines very quickly from a USB.
Phishing attacks are probably the most common and costly attacks to business and home users. They can cause untold amounts of trouble from just a single E-mail. Cyber security in the workplace such as a spam filter should prevent this. However, phishing E-mails have evolved significantly over the past 20 years from an E-mail written in broken English sent from an E-mail address that looks like someone has stamped on the keyboard, to official looking E-mails with branding and deceiving addresses.
They will usually contain a link or a document that points to a compromised login portal (Such as a fake Office 365 Portal) in which a keylogger is installed so when you type in your credentials in, the username and password is sent to the culprit. The page will then usually re direct you to the place you wanted to go, and you carry on as normal unaware that anything has happened.
Viruses, Malware and Scripting
There’s nothing like an old-fashioned virus! Usually contracted through a dodgy E-mail or by visiting a non-secure website with some questionable pop up adds. A virus or malware can infect your computer and spread across your network and can do anything from repeatedly ejecting your CD Drive (An office prank favourite of the early 2000’s) to wiping your computer clean or installing a script to track all of your web traffic. This is why having the right cyber security in the workplace is so important.
The most common type of threat at the moment is Ransomware. This is due to the massive ‘WannaCry’ hack on the NHS and many other big European services last year. Ransomware is usually contracted in the same way as a virus or malware. Programs like Crypto Locker will encrypt every file on your machine and then hold you to Ransom over the decryption key. Usually around $300 to be paid in Bitcoin. Even if you do pay, there’s no guarantee that you’ll be sent the key to get your files back. This was actually featured in an episode of the popular American medical TV Series Grey’s Anatomy whereby Grey-Sloan Memorial Hospital was held to ransom while all of the machines in the facility failed. This not only included access to patient’s records but also to areas of the hospital such as blood banks, medicine cabinets etc which are digitally controlled. There is debate about how accurate the portrayal was and how much was Hollywood hyperbole but it certainly did bring the very serious threat and potential repercussions of Ransomware into the path of the masses.
Social Engineering Hacks:
These can be quite difficult to defend against so just be mindful of what information you’re giving away and to whom.
Imagine you’re on the train and the person sat next to you asks to borrow your phone to make a call or send a text because their battery is flat. Seems harmless? Most of the time it probably is, however, just remember what personal information you have on your phone. If you have a pin, they could have seen you enter it. It might even be the same as your bank pin, you might even have your bank card in your phone case. What if they run off with it? In one act you’ve lost your phone, all your personal information on your phone and access to your bank account. I’m not saying don’t help someone in need just be careful of what you arer giving over to other people.
Cyber Security Protection…
Here are the 9 best tips to keeping yourself and your business secure:
1: Keep your hardware up to date
Security patches are released by vendors such as Microsoft at least once a month and even more frequently if needed. But once those patches are released hackers can look at what vulnerabilities have been fixed in the release and then reverse engineer the security patches to find the vulnerabilities in machines that have not been updated. This is the main reason why the NHS and many other European business were hit so hard whilst smaller business and home users were okay.
2: Get a Spam Solution
A good spam filter is an excellent way to help prevent phishing attacks. Many E-mail hosting services provide their own solutions and it’s a small extra cost a month in comparison to what you could lose over all.
3: Physical Security
Examples of how to physically improve cyber security in the workplace:
- Lock your machine when you are absent from your desk.
- Security passes to get into a building.
- Locks on the server room door.
- Disabling USB access to your computer and servers.
- Make sure you have a password on your home router.
- Put an admin password on your computer with a prompt – this will prevent things from installing in the back ground without you knowing about it.
4: Network Security
If you’re in charge of a corporate network, ensure VLAN’s have a separate network for work issued devices, staff devices and company guests. This enables you to monitor each network separately and if something infects the guest network it won’t automatically infect devices on your other VLAN’s giving you precious time to invoke any necessary infection procedures. A good firewall is also a must for protecting against DDoS (Distributed Denial of Service) and other cyber-attacks.
5: Multi-Factor Authentication (MFA)
Where ever possible use MFA, it’s a fantastic tool. A spam solution can help stop hackers getting your credentials, but MFA is preparation for if it does happen. A username and password aren’t much use if you can’t verify the sign in with a code or device when MFA is enabled. No security solution is ever 100%. It’s worth preparing for those ‘just in case’ moments and Multi Factor enables you to do just that. These should be easily available for your IT team to install and can be used in a number of ways, usually incorporating verification on a mobile device or similar.
6: Anti-Virus and Anti-Malware software
These work in the same way as a good spam solution and are your third line of defence against hackers. They will scan and quarantine infections on a regular basis and alert you if there’s a problem. This is a great way to improve cyber security in the workplace. There are many different types of this software on the market, with prices ranging from free to hundreds of pounds. Look closely at your needs and decide what’s right for you and your company.
7: Password, Passcodes and Passphrases
The industry is enforcing cyber security in the workplace and the standard is to now have a passphrase which differs for every site you go on, these should be at least 13 characters with an uppercase, lowercase, numeric and a special character. This sounds impossible to remember but there are plenty of tips about how to create memorable but secure passphrases online.
Passcodes can be as low as 4 digits which is fine, but don’t use the same pin for all your devices and bank cards because if you do and your phone gets stolen, your bank account and your computer could also be vulnerable.
Utilise backups as much as possible in order to strengthen your cyber security in the workplace. If your defences have failed against a ransomware attack you can restore from a master backup. You might lose a days’ worth of work but that’s better than a lifetime of work.
9: User training and knowledge
There’s nothing more dangerous to your network than an untrained user. Do they know what a phishing E-mail looks like? Do they know why they can’t have USB access? Are they aware of how important, effective cyber security in the workplace is? Take the time to explain to users why there are security procedures and what security threats face them at work. Even if one user recognises a scripting E-mail that has slipped through your spam filter, it’s worth the time in training.
How can Safety Media help?
Safety Media’s “Computer Security in the Workplace” and “Information Security” e-learning courses can help further ensure that your employees are aware of the cyber security in the workplace and what to do in the event of a cyber-attack.
Also, if you are looking for a robust and secure way to deploy your IT Security documentation across your organisation then the Document Management feature of Safety Media’s Enterprise Portal will allow you to upload, distribute and record acceptance of policies quickly.
For more information about these courses or services please contact Safety Media. We can arrange a personalised 121 walk through of the software allowing you to assess the safety of our solution for yourself – 01745 535000 or sales@Safetymedia.co.uk »
About the Author:
Jack started out as an IT Apprentice in early 2014, whilst studying IT Theory in Central London and working as an Apprentice Help desk engineer in Watford. He stayed there until he qualified with two City and Guilds diplomas and became an MTA in 2015. After he had qualified he stayed and became a 1st Line Support Engineer for a further year developing his skills with Office 365, Microsoft Sever, Network Administration and Network Security. He then moved to another Help Desk company in Chester where he became a 2nd Line Support Engineer. Whilst still engaged in learning about Office 365 he also gained more experience with virtualisation and Domain Administration.
This led to starting his educational path towards his MCSA and MCSE’s. After a year he moved to Safety Media to take over running of the IT Department as an Internal IT Infrastructure and Networking Engineer. Once again, Office 365 and Network Security played a major part in his job role.