Better the devil you know…
In many of these articles, I repeatedly discuss the importance of a layered approach to IT security. Threats to both your physical and information assets come from a wide range of sources, each with their preferred delivery method.
We’ve discussed what a prepared business needs to do in order to reduce these risks, mitigating them to the point at which decision-makers deem exposure to a threat is an acceptable one.
This can be viewed as “inside-out” defense. It’s a great first step and should always be viewed as the cornerstone to a sensible IT security strategy.
What I want to discuss in more detail today is the “outside-in” approach. Looking inside your defenses will help tell you if you are really protected. Crossing your fingers and hoping for the best isn’t the best approach.
So you have some security in place: a firewall, antivirus system, decent backups. Sorted right? Well, these are very sensible and crucial components to a robust security policy but how do you know they work? How do you know that your team have the required skills to use these security systems? How do you know they are not on Facebook all day long, clicking on every clickable link that appears, no matter how weird (or suspect)?
What we’re talking about here is the need to assess that the tools and systems in place actually stop bad things from happening and that your employees don’t scupper these security systems by clicking on things which open the door to the bad buys or give away secrets that they shouldn’t. Vulnerability testing allows the opportunity to look under the bonnet at your defense and see if it is up to scratch. Are your devices fully up to date? Out of date software? Is the antivirus on the machine that is used once a week actually being updated before it is used? Are you sure? How?
ITGUYS runs regular scans on our own systems to make sure that our devices really are up to date and if anything is missing, we can easily patch the hole. These scans are easy for us to set up and take some of the guesswork out of safety checks and overall security.
Another area of testing that things are as they should be, applies to the people who use your tech the most: your team. 32% of all cyberattacks relate to users inadvertently clicking on something they shouldn’t be clicking on. Perhaps they are distracted. Perhaps they don’t understand what they’re being invited to click on. We (me included) can typically scoff at how obvious scams are online but the sophistication of these attacks grows week-on-week and, as I have said before, a company’s IT security is only as strong as its weakest link.
Rather than leave it to chance, rather than rely on your organisation’s company handbook or Information Security Policy document, that your team have all read and signed (remember?), testing them and seeing what they click on will actually tell you whether they get it or whether they need to be trained. What we’re talking about is a “simulated phishing attack”. These (completely safe) attacks mimic what a bad guy would put in an email to trick you into a) clicking on a link that leads them to a malicious site and b) getting you to enter your email address and email password (for example) into the site. At that point, the bad guy has potentially gained access to your email system. Scary!
ITGUYS runs scheduled simulated phishing attacks on several clients with the twin aim of a) highlighting how savvy your team is and b) running training sessions to educate your company on what is good-cyber-awareness practice.