Never have I encountered a new client where the business owner approached me and said “I think my staff doesn’t know how to use our information systems.” With few exceptions, it’s just assumed that everyone knows how to use a computer, and that’s all that’s required to get the job done. Let alone questions about efficiency and effectiveness, this completely overlooks the question about information security. Most users cannot tell the difference between a real or bogus software update warning. Most users cannot tell if they should or should not click on something to apply the latest update to their operating system, and what would or would not happen if they did or didn’t do so.
And yet, in most SMBs, users are left to their own devices to make these decisions. When you compound this with how effective phishing email (and now telephone) scams can be, it’s a recipe for disaster for your business. I was once told by the CFO of a multi-million dollar manufacturing firm that told me “when I see a link that says irs.gov, I tend to trust it.” And there’s the problem – links can lie. Here’s an example: click the link below, notice where it takes you, and then come back to this article. Go ahead! I’ll wait.
Where did it take you? Was it the IRS website? Didn’t think so. “But it said IRS.gov!” This is just the simplest, most trivial method of spoofing out there. Trust me – they only get more devious and sneaky.
Simply assuming that your staff know how to spot a scam when they see one is begging for your business to be successfully attacked. People need to be trained how to identify legitimate and fake communications. I’m not talking about a process where “once per year we go through a checklist to make sure our users know what not to do.” Seriously – when was the last time you did something only one time, a year ago, and you remember exactly what it was and exactly how to do it? Most people just don’t work like that! We need perpetual education, reminders, and updated information so as to be on the lookout for the latest threats. No matter what your role in the organization is, security is your job.
For starters, make sure your staff know that there are numerous other businesses that are falling victim to ransomware which are delivered as email attachments and through infected websites. Explain to them that this is why we have a policy that prohibits accessing these from work computers, without a business need to do so (and that “this is why the firewall is blocking you from Facebook”).
Then, work with a competent security professional to educate yourself and your staff in the latest threats so they know what to be on the lookout for, and establish a security awareness program. Training should be regular – at least monthly – to ensure that it stays on your staff’s minds (something I affectionately refer to as a “healthy dose of paranoia”).
Don’t make the mistake of thinking “my people know how to use computers, so we don’t need this.” That’s not what security is – it’s not about knowing what to click, it’s about knowing what not to click.
Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.