Seven reasons you need a Human Firewall
Automated tools like anti-virus software, firewalls, and other computerized security technology can only go so far to eliminate the threat posed by a small army of professional hackers. Like most crimes, the human element is critical for the cyber crime to be successful. To combat this, I sorted out 7 urgent reasons why you need to create your "human firewall" as soon as you possibly can. Employees are your last line of defense and need to become an additional security layer when attacks make it through all your technical filters.
Your users need to be trained to become a human firewall against cyber attack
- Phishing leads the IRS dirty dozen of scams
- Phishing is the use of phony email to obtain information or compromise systems. The Internal Revenue Service rounded up some of the usual suspects in its annual look at the Dirty Dozen scams you need to watch out for this year. It should come as no surprise that the IRS saw a big spike in phishing and malware incidents during the 2016 tax season because the agency has been very public about its battle with this scourge.
- CEO Fraud / W-2 Scams is their close second
- Just this month the IRS issued another warning about what it called dangerous, evolving and very early W-2 scams that are targeting a widening swath of corporations, school districts and other public and private concerns. High-risk users in Accounting and HR need to be frequently exposed to simulated attacks using email, phone and text to inoculate them against these attacks.
- Phone Scams
- Your users need to be trained that when they pick up the phone, the person on the other end might be a criminal hacker that tries to manipulate them into getting access to the network. They impersonate "Tech Support" and ask for a password, or pretend to solve technical problems and compromise the workstation. Our technicians have seen this hundreds of times. Sometimes the scam's goal is to get a payment for services, and sometimes it is to create a backdoor.
- Your Antivirus is getting less and less effective
- We all had the nagging suspicion that antivirus is not cutting it anymore, but the new Virus Bulletin numbers confirm your intuition. Virus Bulletin (VB) is the AV industry's premier "insider site", and shows how good/bad endpoint detection rates are, but VB also covers spam filters, and tests them on a regular basis.
- Both antivirus (aka endpoint protection) and spam filter tests are published in quadrants graphing the results. What most people do not know, is that participants in this industry all share the same samples, and it's often just a matter of who gets the definition out first, because soon enough everyone else has that malware sample and blocks the hash.
- The problem? Proactive detection rates have dropped from about 80% down to 67-70% over approx 9 months. Now you might think that if AV does not catch it, your spam filter will. Think again. One in 200 emails with malicious attachments makes it through. That puts the potential for malware making it in your users' inbox into the millions… every day.
- The Internet Of Things
- Your users need to understand the nature of connectedness. Both consumer and commercial devices are using wireless protocols to connect to each other and the internet, with vendors rushing products to market without proper security features. When things like lights, power, HVAC systems are exposed on the network, lots of risks are also created.
- Your employees need to be trained to change the default passwords and disable remote access. If your organization has anything to do with critical infrastructure, users need to be aware of the risks and do fire drills so they are prepared for any kind of attacks against the IoT.
- Over-reliance On Web Services
- This break down in two different flavors.
- First, shadow-IT where employees completely bypass the IT department and create their own storage and services: an invitation to a host of vulnerabilities and data breaches that IT cannot control. Employees need to be enlightened about the dangers of shadow-IT and understand the risks. An example of this is the Stux-net attack on Iran's nuclear materials refinery, where outside agents implanted a sophisticated piece of malware inside a completely isolated network (no internet connections). They did this by dropping a few thumb drives with the malware in the parking lot. Employees then unwittingly inserted the thumb drives inside the "secure" network.
- Second, web-apps and mobile apps are increasingly vulnerable to attacks while talking to third-party services. There’s no actual certainty that apps are connecting to the expected entity, or if a man-in-the-middle stepped in, stealing data, and possibly returning false information. This is a problem that developers need to solve with industry-strength handshaking and encryption protocols
What can Companies do to fight these risks?
One thing and one thing only will fight this type of risk. User training and testing. We have partnered with a famous security consultant and a training firm to be able to provide risk testing, security training for non-technical and technical staff, and compliance testing to evaluate the training effectiveness.Click on the button below for a free quote or a free and safe security test.
Or copy this URL and go to it if you don't trust buttons.https://www.pcmethods.com/human-firewall-lp
Chicago area ERP consultant with over 40 years of experience in Sage 300, Sage Pro, Quickbooks ERP and other systems