Pratum Blog

Seven Security Culture Mistakes Your Organization Could be Making

Hackers, like all humans, crave efficiency. And that makes your employees their favorite target. It’s easier, after all, to crack a person than a computer. Even though your cybersecurity fears may envision someone tapping out code in a darkened room, the bigger threat is an e-mail that fools an employee into granting access to the company’s system. That’s why social engineering attacks (such as bogus e-mails in phishing attacks) have become the most common method for penetrating an organization’s system.

To fully protect your data, you have to educate and motivate every employee to make security part of their daily responsibility rather than counting on IT to handle it on their own. Use the following list to check how you’re doing on the most common cybersecurity pitfalls.

1. Having no security awareness strategy

A security culture takes shape only after someone with authority deems it important, forms a plan for achieving specific goals and then carries out the plan. Your first step should be a written plan that defines the security culture you envision and provides specific steps you’ll take to get there. For example, your culture will define what level of access to company data each employee receives. Include information security themes for each quarter, which will guide your communication and training.

2. Limiting your plan to office settings

If you’re thinking only in terms of access to office-based computers and servers, you’re several years behind. The rapid switch in 2020 to working from home should cement our understanding that the dispersed workforce is here to stay. Your data probably lives largely in the cloud with access coming from dozens of personal devices and home networks. Your plan and training need to cover all of that.

3. Having no plan for training

About 30% of U.S. companies say they have no security awareness and training programs for employees or other stakeholders. That leaves hackers a wide doorway into your systems. For your first information security training program, you can turn to dozens of low-cost solutions that provide excellent and relevant material. Or consider putting together a PowerPoint with relevant security topics that engage employees across all departments. Effective security training solutions include, at a minimum, the following list of topics:

  • Data classification and sensitivity. Employees need to understand what types of data your organization stores, processes and transmits. Giving them an overview of this information helps them recognize the sensitivity of your records and how your business depends on each employee to protect the data they work with.
  • Social engineering tactics, approaches, and example. Attackers use threats, such as fraudulent phone calls, e-mail phishing, and facility access, to obtain more information about your organization or establish remote network access. Employees must be adequately trained to identify situations where bad actors are trying to get them to divulge sensitive information.
  • Password best practices. Passwords are the primary authentication method employees use to access sensitive data. You must provide training on how to generate strong, effective passwords that align with your organization’s requirements.
  • System patching. While your IT department will most likely manage employee devices, it’s imperative to emphasize the importance of system updates. Devices should always be kept up to date with the latest operating system and application patches.
  • Incident response. Training should cover how to quickly and effectively report potential security incidents to management and/or IT staff. Data breaches are typically discovered by an employee observing suspicious activity on their computer system or network.

4. Considering one training session enough

Many companies capitalize on a new employee’s eagerness by providing security training on the first day. While this is an important step in the onboarding process, it shouldn’t be the last time the employee hears about these policies and procedures. A study by Vanson Bourne found that just 11% of organizations continuously train employees on information security. We recommend refresher sessions at least a couple of times per year, which ensures employees get reminders on best practices, hear about the latest threats and recognize that management takes the topic seriously.

5. Assuming what employees know

Don’t generalize based on employees' job skills or age. Many leaders assume that young employees are savvier about information security since they’ve grown up using multiple digital platforms. But that familiarity—and a culture of sharing almost everything online—may actually make your younger team members bigger risks. Train everyone, and make it available in several formats (presentations, videos, quizzes, etc.) so that employees get the message regardless of their learning style.

And don’t skip the basics in your training materials. For example, “Password” is still one of the world’s most common passwords. And a Verizon study shows that approximately 76% of attacks on corporate networks involved weak passwords. So as obvious as the need for strong passwords may seem—it obviously isn’t.

6. Not involving company leadership

When employees not only hear leaders talking about the importance of information security but actually see the leaders sitting beside them in training sessions, the message is clear. Use your top managers to reinforce the priority your organization puts on security.

7. Failing to measure progress

Your long-term strategy should include benchmarks showing how you’re doing. Some common performance indicators include tracking how many employees fail routine phishing tests, who is reporting suspicious emails, how often employees change their passwords, and who is adhering to your organization’s Clean Desk Policy. With metrics in place, you can track progress and identify employees who aren’t embracing or understanding policies.

If all of that sounds a bit overwhelming, see how Pratum can help! Every week, our consultants help companies create their security strategy, develop plans for implementation, and maintain security awareness and training effectiveness.

Sustainable Security Solutions for the COVID Era

By this point in 2020, most of us feel like runners who left the starting line expecting a 5K and realized we were actually running a marathon. Or an ultramarathon. Or Forrest Gump’s open-ended run across America. Who actually knows? Every week forces a new revision of our pace and overall strategy as the finish line keeps running away from us.

Much of the IT world is still living on stop-gap measures thrown into place in March when it became obvious that ideas about a dispersed workplace were materializing in the span of a week or two. Arizona State University research shows that about 13% of employees worked from home a few weeks before COVID. Now, about 66% of people who still have jobs are working from home.

The old analogy of building a plane while we’re flying it doesn’t even cover the full challenge. Thanks to hackers, we also have people trying to hijack the plane we’re building in mid-flight.

Pratum’s cybersecurity experts have been working daily during the pandemic to help clients adjust to 2020’s constantly revised realities. Here are some key lessons we’ve shared with clients so far:

It’s time to focus on long-term solutions. We can all give ourselves a pass for thinking that the dispersed workforce would be a two-to-three-month phenomenon. But now that we’re hitting five months with no end in sight, it’s time to work on sustainable setups. That requires an investment. It will probably take weeks of discussions among multiple stakeholders to address all the implications of a much larger percentage of employees in a work-from-home environment. Company leaders must be ready to devote those resources to the job.

The “data-centric” mindset is now. Many IT leaders had already started shifting cybersecurity architecture from a focus on devices to the data itself. But the pandemic’s current has pulled in even late adopters. Business now happens in the cloud on a wide array of devices, many of which companies don’t own. That’s forcing IT teams to reconsider how to protect critical files, wherever they travel.

The cloud has its own requirements. Practically overnight, organizations nationwide shifted systems and processes to the cloud or provided remote access before proper security reviews could be completed. Unfortunately, many failed to properly configure their systems, leaving open doors for hackers. This spring, for example, researchers found a real estate database on Google Cloud that required no password or authentication. It contained detailed information on more than 200 million American homeowners.

Personal devices are part of the plan. Most IT teams built security policies for a handful of remote employees, not an almost entirely remote workforce. So revisions are in order to account for a wave of personal device usage that goes far beyond BYOD (bring your own device) phones. Hackers aren’t waiting around for companies to plug the holes. Ransomware attacks have spiked this summer. And one attack earlier this year penetrated a company’s mobile device management platform, giving it access to nearly every connected device.

Social engineers thrive on disrupted processes. Hackers are also capitalizing on the muddled processes that come with dispersing a workforce for the first time. At the beginning of 2020, an office worker who got an unexpected e-mail about an invoice might have shouted over the wall to confirm the payment with a co-worker or manager. Now the communication requires a phone call or e-mail, which may or may not clarify things, and may not even happen. Hackers are counting on that.

Phishing season is wide open. By some estimates, phishing attacks are up 70% since the spring of 2020. Social engineers have long recognized that remote employees often make easier targets since they may feel less connected to the organization and could be less aware of security best practices. Hackers also keep honing their phishing strategy with messages tailored around research into specific organizations and individuals. In today’s phishing e-mails, the tip-off may be as subtle as a mismatched font or referring to someone who goes by “Steve” as “Stephen.”

Clearly 2020 is forcing all of us to rapidly adjust plans while the ground shifts under us. Pratum’s consultants can help. Contact us today!

Are You Risking Security in Favor of Convenience?

Proper password habits feel like data security’s equivalent of flossing. Yes, we all need to do better with both. But if we’re pressed on how it’s going, most of us admit that we don’t even know where the floss is and that we keep most of our passwords on three sticky notes hidden under our keyboard.

We get it. Most days feel like a constant obstacle course of passwords and PINS, whether we’re trying to withdraw cash at the ATM, check a retirement account balance, use a retailers’ reward card or just stream a movie. The average American has 50+ passwords—many of which you use once or twice a year. (“Yes, specialty spice retailer, it looks like I DID forget the password that I created for Christmas of 2018!”)

Even the password’s inventor, the late MIT professor Fernando Corbato, turned antagonistic to the monster he created. He told the Wall Street Journal in 2014 that passwords have “become kind of a nightmare on the World Wide Web.”

Isn’t There A Better Option?

Password alternatives keep turning up, but no one has quite mastered the alchemy of an easily remembered, hackproof password. The “knock codes” LG added to its phones excited a lot of people, for example. Users simply tap out a chosen sequence on a blank screen to unlock the phone. But it turns out that 20% of participants forget their new codes within 10 minutes. So most people use very predictable patterns for their codes.

Biometrics are an easy-to-use option, but only if a company wants to pay to install fingerprint or retinal scanners on every device.

So the password abides. If we’re following the IT department’s advice, each password contains a different scramble of uppercase letters, lowercase letters, numbers and symbols. No wonder most of us give up and take the easy routes; 59% of us use one password everywhere, according to the password management company LastPass. Most people are willing to gamble convenience against the chance that a hacker will get the keys to their digital life.

As for writing every password down in one place…well, even Professor Corbato, Father of the Password, admitted that he kept a written cheat sheet of 150 passwords he was trying to manage. But the risk of that move isn’t going away. In June 2020, the “hacktivist” group Anonymous broke into the Minnesota Senate’s servers and hacked a file that Senate officials literally called “The Passwords File.”

And one more thing just to make the challenge even bigger: Experts advise against using the “Remember Me” function to log into web pages automatically. If someone gains access to your computer, they will have an open door into any password-protected website you use.

Real-World Password Solutions

But enough venting about password headaches. What are the current best practices for managing passwords in a way that’s secure and actually practical? Here are guidelines recommended by Pratum’s experts:

  • Use multifactor authentication whenever possible. This is the increasingly familiar approach that adds another layer of protection through steps such as texting you a verification code along with requiring a password. MFA involves two of the following three elements: something you know (password or PIN), something you have (a badge or a device) and something you are (fingerprint or voice recognition).
  • Use more complex passwords. Most of us use obvious phrases to make memorization easier. But when hackers’ software runs through thousands of password combinations per minute, they’ll eventually figure out “ILovePizza!”. Use more random combinations such as “1lovePws!”.
  • Keep rotating passwords. Yes, it’s a hassle when the IT team makes you change passwords every 90 days, and you may have seen news that this standard is falling from favor. But permanent passwords are actually recommended only for organizations that have extra protections in place such as multifactor authentication.
  • Use a browser plug-in such as LastPass. It stores all your passwords in one spot and lets you easily log into websites by choosing the appropriate passwords from your list. The plug-in requires its own password, so that no one can access your sites just by getting access to your computer. You also can use a password app to generate random, virtually uncrackable passwords for yourself. Do note that if you’re planning to use your workplace computer for this, you may not be permitted to install the plugin. And be sure to use a password manager that is encrypted and protected with MFA.
  • Log in to sites via a big, trusted company. You typically see this option as “Log in with Google.” This makes things simpler, and you’re using the expertise of a major company. But your password to that service obviously should be bulletproof.

If you’re wondering whether your password game is in the sweet spot of security and usability, a Pratum expert can help. To discuss a review of your policies, reach out to our cybersecurity team.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.