Welcome to the second part of the document security series (if you missed it, you can read part one here). This time, we’re going to shift the focus onto your users. Yes, your users.
Believe it or not, your users are one of the most important security systems that you have. Why? Well, all your technical security measures won’t mean a thing if an employee accidentally falls victim to a phishing email or sets their administrator account password as “password123.”
Human error is often the root cause of the majority of security breaches. In the UK, it was found that of the 2,124 reported security incidents only 292 were deliberate cyber attacks. The rest happened because of, you guessed it, people.
Obviously, you want to make sure that only authorized users have access to sensitive documents. So, how do you ensure that your users don’t accidentally give hackers an easy way to steal your files without having to completely restrict their document access? Training and, as your failsafe, user authentication. Together, they will help you keep your files and documents secure.
It’s your job to train them
Your employees are great at what they do. The thing is, they may not be the most knowledgeable when it comes to cybersecurity. That’s okay though. It’s not necessarily their job to know about the latest security practices.
That’s why companies have a responsibility to bridge that natural skill gap. How? You need to provide training and awareness programs that will help prevent your well-meaning employees from doing things like accidentally uploading malicious files to the company document management system or sharing a confidential document with the public.
Sure, you may have secured your network from external threats but your unsuspecting internal users can be a hacker’s easy way around them. It’s important that you make sure that you hold regular company-wide training sessions.
What do you need to include in these training sessions? Some essentials include teaching employees about:
- Downloading files and using unauthorized devices
- Suspicious links and email phishing
- Social engineering
- Personal device maintenance and safeguards
- Password best practices (which means different, strong passwords across all of their accounts)
- Reporting security threats
We know, that’s a lot to cover. So, where should you start? While you need to go over all of these topics eventually, you should begin with the most important security threat: email phishing.
Why? In the past year, 76% of businesses have reported a phishing attack and that number is growing. Phishing attempts have also risen by 65% during that same time period. These scams take many different forms. The most common one (which you’ve probably experienced yourself) is someone posing as a store or bank. Another more dangerous strategy is called “whale phishing.” This is an attack that targets a person with access to large sums of money or confidential company information. Either way, these cyber attacks are expensive. The average cost of a phishing attack for a mid-sized company is $1.6 million.
Motivated now? You should be. It’s essential to show employees the warning signs of a phishing attempt and offer them clear instructions on how to report it. So, get your training program set up ASAP.
Fool me once, shame on you. Fool me twice...
It’s important to make sure that the people who have access to your data are who they say they are. To start, you should make sure that all your users have strong passwords. However, that’s just the first step. You should always have at least two of them. If you don’t, you’ve made yourself a whole lot more vulnerable (especially if some of your team members takes business trips outside of the office).
For example, by only cracking a password, hackers were able to gain access to Deloitte’s entire email network. However, this could have been easily prevented. How? All Deloitte needed to do was use two-factor authentication.
Two-factor authentication is pretty simple. It just means that a user needs to give two pieces of evidence that they are who they say they are. The first piece is something that they know, usually a password, while the second piece is something that they have. In practice, this means entering a code from an authenticator app on their smartphone or using a physical security key like Google’s Titan Security Key. Hackers may be able to steal a password but they’re going to have a much harder time stealing a physical security key or smartphone.
Had Deloitte been using two-factor authentication, the hackers wouldn’t have had the second identifier that they needed to log in. The account owner would have also been alerted about the unauthorized use of their account. In the end, that’s all it would have taken to prevent the breach.
With the right training regime and user authentication practices, your users will be able to help strengthen your security, not hurt it. You don’t need to take drastic measures either. If you have a strong security foundation, like the public cloud, it doesn’t take much for your employees to help keep your organization safe. In fact, it’s so easy that they may not even realize that they’re doing it. Often, all that you need to do is make them periodically confirm that their security settings are in line with company standards using tools like Google’s Security Checkup.
Don’t relax just yet though. The security tips don’t end here (again, if you missed it, here’s part one, and, if that's not your cup of tea, you can jump ahead to part four). Check back next week to learn about the importance of keeping your data centralized, backed up, and up to date. If you don’t want to wait, you can also download our document security white paper now.