How many information security breaches are caused by end users depends on whose statistics you quote, but a conservative estimate is about one in four. The IBM 2015 Cyber Security Intelligence Index, for example, said that more than half of all incidents were caused by people inside the organization. 23.5 percent of all incidents were by “inadvertent actors,” in other words, people who didn’t know what they were doing.
So what do users need to know? Here’s my list:
1. How important security is to the organization
Spell out the consequences of an information breach. This could be loss of financial or personal information. Even if the incident doesn’t lose data, it can still affect the organization’s reputation. Reputation really matters to most nonprofits and foundations.
2. How important users are to security
Users need to understand that the security situation has gotten worse, and that a big reason is that hackers have gotten good at social engineering and other ways of exploiting user’s mistakes.
3. Caution installing programs
Ideally, users wouldn’t be able to install programs on their computers. Ideally, what was installed would be whitelisted. But many organizations believe this is too inconvenient to users. This being the case, you have to urge them to exercise caution about what they install. If you can, offer to set them up with an ordinary user account to use most of the time. They can shift to an administrative account to do a particular task.
4. Cooperate with patching efforts
The problem with patch management is often getting users to restart their computers so the upgrades can get installed. Get them to reboot their office machines and laptops to coincide with your patching schedule. Get them to put their home computers on automatic updates for as many apps as possible.
5. Physical security: theft, clean screen, proper paper
In the office, laptops should be locked down. Users should set their operating systems to require a new login if they leave for more than a very short time. Passwords or other important paper documents should not be easily accessible.
6. Be cautious opening attachments
Explain how email attachments can be a source of malware. This has been known for quite a while, but we can’t assume everybody knows it.
7. Caution clicking on links in email
This is the new approach of phishing and spear phishing. Just get a user to click on a link in a message, and a hacker can download malware. Giving examples of how to detect phishing is important. Doing a phishing security test before the training session, as well, is even better. You can get a free trial of one from KnowBe4.
8. Caution clicking pop-ups
Those pesky pop-ups you get, usually from going to websites, can contain malware, and anywhere you click on them can cause a malware download. Getting everybody to use a pop-up blocker can help, but at least teach them that Alt-F4 (or maybe Ctrl-F4) can close the pop-up without clicking on it.
9. Special caution with company data or financial assets
Caution can range from encrypted communications or multi-factor authentication with banking counterparts to caution about CFO/CEO wire transfer emails. In general, only people with a need to know should access financial data. In addition, other confidential information, as identified in a risk assessment, should also be flagged for special treatment.
10. Create strong passwords, keep them private and change them
This is Security 101, but it’s surprising how many users will continue to use weak passwords and even to share them. The general response is that strong passwords are hard to remember, which is why recommending a good password management service can help.
11. Caution with wi-fi connections on the road
Users should be urged to avoid wi-fi networks that are not password-protected, to make sure the network to which they connect is not being spoofed, and generally to avoid sending sensitive information while on the road. Cellular networks and mi-fi devices are somewhat better then wi-fi.
12. Protect your credentials, e.g. multi-factor authentication
Certainly while on the road, but in general, adopting multi-factor authentication will help keep credentials from compromise. It does cause a little inconvenience, but as more and more cloud-based systems are used, credential theft becomes a major weakness in the system.
13. Don’t use strange flash drives
USB drives can be great sources of malware. If users have any question about where the USB drive has been, the best thing is to not connect it to their computers. A USB drive was how the U.S. got the Stuxnet virus onto Iran’s nuclear centrifuge controllers, and USB drives on the sidewalk outside offices have been used to get viruses onto corporate networks.
14. Report any phishing, lost devices, or any other security issues
Make it clear that reporting issues is GOOD. Users should understand there is nothing to be embarrassed about and that they are really helping to let IT know what is going on.