Blog

Cybersecurity Committee: Employee Awareness and Social Engineering

March 25, 2021

For a more visual presentation, download the Cybersecurity Committee’s Step Three Part Two infographic here. Otherwise, read the blog below!

Bringing Awareness

  1. Assess Employees – Skills Analysis
  • Perform a skills analysis to understand workforce members’ skills and behaviors. Know areas they are weak in or are not adhering to.
  1. Change Behavior – Create a Security Awareness Program
  • Learning Media and Reminders
    • Such as internal newsletters or posters in the lunchroom
  • Phishing Awareness Campaigns
    • Employees are baited with phishing emails by their employer to help educate them on how to spot and report actual phishing This helps protect themselves and the company.
  • Automated Online Training & Classroom Training
    • The training is specific, tailored, and focused based on the specific behaviors and skills needed by the workforce, depending on an employees job role and responsibility.
  • Vendor/Product tools for Cyber Education
  • Create a Security Awareness program.
    • Every employee understands their role to ensure the security of the company.
    • Spell out obligations and expectations.
  1. Track Metrics & Update Training
  • Training is repeated periodically, measured, and tested for effectiveness and updated regularly.

Social Engineering Threats (The art of manipulating people so they give up confidential information)

  • Phishing– The fraudulent practice of sending emails, or other electronic communications, appearing to be from reputable sources to trick individuals into revealing private information.
      • Spear Phishing– Targets a specific group or type of individuals, such as a company’s Accounting Department.
      • Whaling– An even more targeted attack usually aimed at Senior Executives within an industry or business.
      • Smishing– An attack that uses text messaging or SMS to fraudulently send a message to your cell phone to entice you to click on a link or call a phone number.
      • Vishing– This is an attack involving voice calls with either a conventional phone system, cell phone, or Voice over Internet Protocol (VoIP) systems.
  • Default or common passwords
      • Default Passwords– Many Internet-connected devices, such as routers and webcams, initially come with default usernames and passwords to allow new users to log into and configure them easily. Many people neglect the important step of changing or removing the default login information, leaving them vulnerable to attack.
      • Common Password– This is when someone uses a very simple (common) password like “password” or “secret.” Choosing common passwords makes it easier for an attacker to gain access.
  • Clicking URL’s– A malicious URL is a link created to promote scams and attacks. By clicking on an infected URL, you can download malware onto your device, or you can be persuaded to provide sensitive information.
  • Public WiFi– The same features that make public WiFi desirable to consumers also make them desirable for cybercriminals. They require no authentication to establish a network connection, which makes you vulnerable.
  • USB Drives­– Can pose a severe security risk to networks and data. USB drives can be used to transmit malware. Don’t ever plug in a USB drive that’s not yours or that you don’t trust. If your USB drive is not encrypted, attackers may steal sensitive information. USB drives are easily lost or stolen, so back them up regularly.
  • Backup Data– Having valid data backups are the last line of defense against an attack.
      • Ensure that all system data is automatically backed up on a regular basis.
      • Test data integrity on backup media on a regular basis.
      • Ensure that backups are properly protected via physical security or encryption when they are stored.
      • Ensure that all backups have at least one offline backup destination.

To learn more from the PSA Cybersecurity Committee, visit PSAEducation.com!