Most companies these days encourage employees to access their work email through mobile devices for availability purposes and easy contact. Unfortunately, according to a recent Fortinet Threat Landscape Report, Android-based malware now represents 14% of all cyberthreats. On top of that staggering number, add in compromised web sites, SMS phishing, and corrupt USB access points, and no matter what the device, spyware, malware ransomware and compromised apps are surging.
Sadly, when a personal device of an employee is compromised there is an increased risk to the organization. Besides deploying mobile device management software, it’s crucial to offer security awareness training that includes mobile device training.
Here are five key steps that need to be included in the training.
1. Be Cautious of Public Wi-Fi
While most public Wi-Fi access points are safe, they can be compromised. Hackers can broadcast their device as a public access point, especially in public locations like Starbucks or at large events. Then, when a user connects to the Internet through them, the criminal is able to intercept all the data moving between the victim and their online shopping site, bank, or wherever else they browse to.
Many smart devices will also automatically search for known connection points, like your home Wi-Fi. Newer attacks watch for this behavior and simply ask the device what SSID they are looking for. When the phone tells them it is looking for its ‘home’ router, the attack replies with, “I’m your home router,” and the phone goes ahead and connects. Smart devices will do the same thing with Bluetooth connections, automatically connecting to available access points.
To protect yourself, it’s a good practice to turn off Wi-Fi and Bluetooth unless needed. In the case of wireless access, verify the SSID of a location, often by simply asking an establishment for the name of their Wi-Fi access point before connecting. Users should also consider installing VPN software so they can ensure they only make secure, encrypted connections to known services.
2. Use Strong Passwords
And change them up! A big mistake is using the same password for all online accounts, usually because remembering a unique password for each site you have an account on may be impossible. But if a criminal manages to intercept that password, they now have access to all of the user’s accounts, including banking and shopping sites.
The best option is to use a password vault that stores the username and password for each account, so all that needs to be remembered is the password for the vault. Of course, extra care must be taken to ensure that the vault password is especially strong and easily remembered. one trick for creating a strong passwords is to use the first letters of a sentence, song lyric, or phrase, insert capital letters, numbers, and special characters, and you’ve got a pretty secure password.
To be even more secure, consider adding two-factor authentication for any location where sensitive data is stored. It’s an extra step in the login process, but will significantly increase the security of their account and data.
3. Recognize Red Flag Phish
Don’t click on links in advertisements sent to your email or posted on web sites unless you check them first. Beware of poor writing or grammar, complex or misspelled URLs, and poor layout that can be a key giveaway that an email is malicious.
But for all those happy clickers out there, make sure to supplement your effort with an effective Email Security Gateway and Web Application Firewall solutions that can detect spam and phishing, validate links, and run executable files in a sandbox – even for personal email – to ensure that malicious traps simply do not get through to an end user.
4. Update Devices and Use Security Software
Users should have a corporate-approved security agent or MDM solution installed on any device that has access to corporate resources. This software also needs to be kept updated, and device scans should be run regularly.
Similarly, endpoint devices need to be regularly updated and patched. Network Access Controls should be able to detect whether security and OS software is current, and if not, users should be either redirected to a remediation server to perform necessary updates or alerted as to the unsecure status of their device.
5. Keep tabs on Social Media
Social Engineers will often personalize an attack to make it more likely that a victim will click on a link. And the most common place for them to get that personal information is from social media sites. The easiest way to prevent that is to simply set up strict privacy controls that only allow pre-selected people to see your page. Individuals wanting an open social media profile need to carefully select who they will friend. If you don’t know someone, or if anything on their personal site seems odd, dismiss their request. And even if the person is someone you know, first check to see if he or she is already a friend. If so, there’s a significant possibility that their account has been hijacked or duplicated.
6. Keep Training Messages Short, Clear, and Regular
Make sure to develop a comprehensive security strategy for your users who have personal endpoint devices connected to your network. But don’t make the mistake of burying them in information. Break information down into easily digestible chunks. Provide a daily security tip. Post messages around the company, such as in the hallways or break room. Get the executive team to mention it in staff meetings. And provide checks, such as your own phishing emails, to help identify users that might need additional attention.
If you need help with employee security awareness training contact DarkHound at [email protected].
Source: Fortinet Threat Landscape Report
Image Source: https://www.pexels.com/photo/working-woman-technology-computer-7374/