Blog / User Education is Important… It’s Not Safe to Assume Users Know What They’re Doing.
Take a good look at any list of recommendations to improve your organization’s Computer Security. Go ahead; do some googling and find a couple of lists. After reading a few, you’ll start to notice a few similarities between them. While they won’t be identical, there’ll be a couple of items that show up pretty much every single time.
The first recommendation that gets listed all the time is “Control the usage of Admin Users.” This really can’t be stressed enough. A user with administrative privileges can do an amazing amount of damage in a short amount of time. Accounts at this level should only be used for activities that require invoking Administrator privileges.
This means that if the day-to-day account you login with is an Administrator account, then you are doing things wrong. It also means that if your job does not require you to do anything that requires access to Administrator privileges, then you should not have access to an account that has them. It’s fair to say I really can’t stress that enough. If you are thinking I might sound a bit like a broken record, then that’s because I am, and the reason is because the message isn’t getting across. If it was, then it wouldn’t be the most common piece of Security Advice out there.
So that’s the first common item you’ll find. The nice thing is that most people have a reasonable idea about what an Administrative user is. Even people without computer in-depth knowledge, generally understanding this type of user. It makes it easier for people to wrap their heads around why this is important (they may falsely believe that they should have access to one, but that’s not uncommon.)
The second item that comes up all the time isn’t quite so straightforward. It can be summed up in two words: “User Education”, and again, I couldn’t agree more. Earlier today, I was going through the news, and I found a report of a breach, caused by a company sending hundreds of email address in the TO field of an email they sent to their customers. This sort of activity is considered a breach in every way (legally, etc.) I see articles about breaches with this exact cause about once a month. It can be easily avoided by simply making use of BCC. If you don’t know what BCC is and you’re reading this newsletter, then I can say a few things with a certain degree of confidence:
1) You have been using email for just a few years.
2) There’s a strong chance you don’t really understand it.
3) If you have a company email address, you are a Security liability.
This should not come as much of a surprise. Email is the most-commonly used vector for an attacker to use. The reasons are exactly as I already mentioned. For starters, everyone uses email, and most people don’t actually know how it works, even on a basic level. This makes it hard for the average person to spot many of the signs that an email is faked, or to understand most of the advice around good email hygiene. Attackers know all this too well…
As W. Shakespeare said in “Henry VI”, Part II, Scene VII: “Ignorance is the curse of God; knowledge is the wing wherewith we fly to Heaven.”
There is certification to prove you can drive a car; it’s called a Driver’s license. There’s no nomination to demonstrate you understand things like computers or email or safe browsing, yet it’s one of the many things that most organizations take for granted. Correcting such a skills’ gap may be beyond the ability of many outfits. Lots of smaller businesses really can’t afford to be sending their employees for basic computer training, regardless of how beneficial it might be for them.
Risks need to be acknowledged and accounted for in things like your policies, procedures and anywhere else it makes sense. Selecting a useful mitigation to use for a situation will go a long way towards limiting your risks. For example, sending emails to a large group is a potential risk (you could get flagged as a spammer, cause a breach, etc.), so if that’s something your organization does on a regular basis, then making use of a service that specializes in that would help limit your risk. Another example is properly segregating your Network, to lessen the risk of Ransomware infecting every machine. These reduction steps are not complicated or expensive, yet very effective.
If you have any questions about Security Risk Assessment, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.