Sponsored

Four tips for educating users on security

IT professionals can implement as many layers of software as they want, but information security starts with the user

When you hear an IT administrator talking about a "picnic" they're probably not talking about gingham blankets, wicker hampers and sandwiches. Instead, they're likely referring to the acronym "Problem In Chair, Not In Computer", meaning it's not the technology at fault, but the person using it.

This may seem rather a harsh attitude to take, but when it comes to information security, it's a valid one. As much as administrators can toughen external defences, users will remain the most vulnerable and most common vector of attack.

Take ransomware attacks, for example many of them require the user to actively download a malicious program and run it. These users aren't heading off to dodgy websites to download unknown software, instead they are being tricked, frequently by phishing emails.

Indeed, a recent study by the American Medical Association and Accenture showed that in the US healthcare system, doctors are very concerned about cyber security and its potential to disrupt the operation of their facilities. The research found that phishing is the most common form of attack (55%) followed by infection through malware, for example through a download (48%). Network hacks, by contrast, had affected only 12% of respondents.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In light of this, here are four tips for educating users on good security practices.

1. How to spot a phishing attack

One of the best ways to prevent a successful phishing attack is to stop the user from opening attachments, clicking on links or handing over information unless they are sure it's really from the alleged source.

Users should never be afraid to follow up by phone or, if your company uses it, an internal messaging system like Slack or Yammer, even if the email seems to come from trusted internal contacts or known suppliers.

The same goes for so-called vishing attacks, when the attacker tries to get information over the phone. If something seems fishy (or phishy), users shouldn't be afraid to independently verify who is on the phone.

2. Why you use software management

Every IT administrator has had a disgruntled employee on the phone wanting to know why they can't download a piece of software onto their computer.

To the user, it may seem that IT is just being a roadblock to them doing their job, but rather than presenting a brick wall at this point of confrontation, it's much easier and nicer for all involved if there's an open dialogue.

Advertisement - Article continues below

Educate users when onboarding on why you don't allow them to download whatever they want onto corporate devices. While it's important to explain that a given piece of software may be illegitimate and therefore malicious, try not to make it sound like you think non-techies are stupid. Inform them also that, even if it is a legitimate and legal piece of software, there could be vulnerabilities in it that can't be patched if IT doesn't know the application exists, which could put the whole network at risk.

If someone proposes a piece of software they need to do their job, do also take the time to listen to them it may be something that's worth the company investing in, or which you already have approved alternatives for.

3. Educate at the point of onboarding

When it comes to onboarding a new member of staff, there's no room to assume what they may or may not already know.

Perhaps their last place of employment used multi-factor authentication, had regular phishing tests and was always circulating best practice information, or maybe they were allowed to write down and share passwords and leave their devices unlocked when they were away from their desk. It's impossible to tell and even if they fell into the former category rather than the latter, your security protocols and methods may be different to those of the IT administrators at their previous job.

Advertisement
Advertisement - Article continues below

It's important, therefore, that everyone is educated on security at the point they join the business and that there's a set formula for how this is done to ensure consistency and comprehensiveness across the business. It's worth checking in on new recruits once they're more settled in to ensure they've understood the security points as well as other IT matters and resolve any problems up front before bad habits set in.

4. Fire drills and refreshers

A cyber attack is an emergency for any business in the same way a physical threat like fire is. Therefore, it's worth carrying out security "fire drills" once or twice a year, where either the internal IT team or external specialists mount a "phishing" campaign or similar to see where there are weaknesses. This could be incorporated as part of a wider pen-test that also looks at network and software defences, which could help users who fall for the fake phishing email and there will be some feel less like they have been tricked or are being picked on.

Advertisement - Article continues below

Security refreshers based on this or ones that have a more general flavour should be carried out on a regular, although not necessarily frequent (once or twice a year will do unless there are any major changes that need to be announced), basis.

While there's no such thing as an impenetrable system, educating users on the importance of security is one of the best ways to harden your defences. So what are you waiting for?

Find out how HP business devices can keep your workers safe.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/hardware/laptops/354802/hp-spectre-x360-13-aw0053na-2020-review-a-diamond-in-the-rough
Laptops

HP Spectre x360 13-aw0053na (2020) review: A diamond in the rough

18 Feb 2020
Visit/business-strategy/mergers-and-acquisitions/354762/xerox-turns-to-public-stocks-in-merger-war-with
mergers and acquisitions

Xerox turns to public stocks in merger war with HP

12 Feb 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/hardware/354336/the-it-pro-products-of-the-year-2019-all-the-years-best-hardware
Hardware

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020