Technology is pivotal in protecting the enterprise, but human error is often the weakest link. These precautions help lessen the likelihood of human error undermining security efforts.
Data fuels the digital economy. And as data continues to grow in significance, the need for infrastructure security intensifies. Unfortunately, human error has a way of undermining even the most strategic approaches to security. In fact, the human element is one of four key security trends identified by the FBI, alongside pervasive ransomware, changing regulations, and hardware and firmware attacks.
When addressing human error, it’s important to recognize that employee actions don’t often have malicious intent. Consider, for instance, an employee inadvertently following a link that brings down crucial infrastructure. Or someone unknowingly using a compromised USB stick—a dangerous situation, given that accessing a USB port is one of the easiest ways to infect a system.
Developing and maintaining good security hygiene is a great way to start lessening the likelihood that human error will undermine an organization’s security efforts. Here are five critical steps to take.
1. Address account passwords
Requiring all employees to use strong passwords is one of the easiest steps you can take to protect access. According to CSO, hacked passwords cause 81 percent of today’s breaches. The reason: Most passwords are not strong enough. People like to use their first name, last name, birthday, or a child’s name, because they’re easy to remember. Unfortunately, this approach makes them extremely easy to hack. Using strong passwords and changing them regularly may seem like drudgery, but it’s critical when you consider how easily poor passwords are hacked.
Numerous beliefs exist around how to best structure strong passwords. For instance, the National Institute of Standards and Technology suggests using passphrases that leverage associations unique to each individual. Specifically, the NIST uses the example of items from your kitchen, like “blender vent sauté pendant red chair.” This mix of words is memorable, because you can visualize the objects, yet it’s unique to your environment—and thus harder to hack.
Others suggest developing passwords combining numbers, upper- and lowercase letters, and symbols. The difficulty here is being able to remember which password corresponds with each access point. After all, it’s important to avoid reusing any passwords. One way to approach this problem is to have staff use a password manager app, like Keeper or LastPass. These apps can even generate and save strong passwords, so your employees never have to remember them. Adding two-step verification to the mix also provides an additional layer of protection.
2. Spotlight phishing attempts
Phishing often involves hackers sending emails to employees with the intent to extract vital information that ultimately enables them to access the enterprise. As CSO reports, numerous telltale signs should help identify a phishing attempt:
- Unexpected correspondences
- Sense of urgency
- Appealing to a sense of authority
- Lack of detailed explanation
One way to help employees avoid falling prey to phishers is to establish email expectations for content and tone, especially when emails include links or attachments. Forewarning about important emails can make a significant difference.
Phishing doesn’t only occur through email, however. Irresponsible use of social media can make people susceptible, as well. Companies need strong policies and practices for how they handle social media in the workplace. Forbes provides some key aspects that should be part of any organization’s social media policy, including guidelines relevant to security. Simply put, openly sharing information on social media accounts helps hackers build profiles useful for future attacks.
3. Protect organizational access
From an enterprise perspective, it’s crucial to make sure that credentials are always up to date. This means ensuring that former employees and contractors no longer have access. A disgruntled employee or contractor can purposefully do a lot of damage in a very small amount of time if you don’t revoke their access after they’ve departed your organization.
One way to ensure timely removal of credentials is to build it into the exit interview process as an action item, something that must occur before the company releases the employee’s last payroll or contract payment.
4. Train the troops with new skills
No enterprise can afford to ignore the importance of training the troops. Organizations need to accept that cybercrime is big business. Hackers are getting far more sophisticated, and today’s highly connected mobile environment creates more access points than ever before.
Of course, training can be difficult. There are costs involved, but they are always less than the cost of downtime—or a breach that puts you out of business. HPE has the ability to help customers with security assessment services. The HPE PointNext services team can identify weaknesses and help create practices and procedures to keep your data safe. Services include penetration testing, as well as assessing existing policies for email security and firewalls.
As HPE’s VP and CISO Elizabeth Joyce explains at the Washington Post Cyber 202 Live event, protecting the enterprise is not getting any easier. After all, cybersecurity skills are hard to find, with an estimated 3.5 million job vacancies by 2021, as reported by CSO. This brewing skills gap emphasizes a need to build the talent from within.
“It isn’t just a subset of the organization that looks after cybersecurity,” says Joyce. “Everybody is touching the digital world. We take it seriously, and look at the fact that everyone in the organization—no matter what your job is, no matter what your role is—is trained on cyber.”
5. Maintain infrastructure security
Although human error is often the weakest link in any organization’s cybersecurity chain, infrastructure security is equally important to data protection.
This is why security is built into the core of what HPE offers. The security features built into the Gen10 servers, such as the HPE Trust, can be a pivotal piece of the puzzle as organizations work to protect data access. HPE has also embraced artificial intelligence and machine learning to help quickly detect and respond to threats. The bottom line is that solid infrastructure security is always multifaceted. As such, truly protecting the enterprise requires the right mix of technology, policies, practices, and procedures. Success also means recognizing that—when operating within an ever-changing environment—organizations need to constantly evolve as well.