Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Educating employees about mobile cyber threats

1 March 2020 Information Security

By Doros Hadjizenonos, regional sales director at Fortinet.

While nearly 9 in 10 companies not only allow, but actually rely on their employees to access critical business apps using their personal devices, according to a recent Fortinet Threat Landscape Report, Android-based malware now represents 14% of all cyber threats. And in addition to direct attacks, the number of compromised websites, email phishing campaigns, and malicious access points continue to grow exponentially, infecting unsuspecting users – regardless of their devices – with spyware, malware, compromised applications, and even ransomware.


Doros Hadjizenonos.

And whenever a personal device of any of your employees becomes compromised, they can represent an increased risk to your organisation as well. In addition to deploying mobile device management software and security clients to your employees, it is critical that you establish a cybersecurity awareness programme that provides critical insights into how they can avoid these risks.

Here are five critical elements that ought to be part of any cybersecurity awareness programme.

1. Beware of public Wi-Fi

While most public Wi-Fi access points are perfectly safe, that’s not always true. Criminals will often broadcast their device as a public access point, especially in public locations like food courts or at large events. Then, when a user connects to the Internet through them, the criminal is able to intercept all the data moving between the victim and their online shopping site, bank, or wherever else they browse to.

Many smart devices will also automatically search for known connection points, like your home Wi-Fi. Newer attacks watch for this behaviour and simply ask the device what SSID they are looking for. When the phone tells them it is looking for its ‘home’ router, the attack replies with, “I’m your home router,” and the phone goes ahead and connects. Smart devices will do the same thing with Bluetooth connections, automatically connecting to available access points.

To combat these issues, it’s a good practice for users to turn off Wi-Fi and Bluetooth until they are needed. In the case of wireless access, they should verify the SSID of a location, often by simply asking an establishment for the name of their Wi-Fi access point before connecting. Users should also consider installing VPN software so they can ensure they only make secure, encrypted connections to known services.

2. Use better passwords

Another mistake users make is using the exact same password for all their online accounts, usually because remembering a unique password for each site they have an account on may be impossible. But if a criminal manages to intercept that password, they now have access to all of the user’s accounts, including banking and shopping sites.

The best option is to use a password vault that stores the username and password for each account, so all that needs to be remembered is the password for the vault. Of course, extra care must be taken to ensure that the vault password is especially strong and easily remembered. One trick for creating a strong password is to use the first letters of a sentence, song lyric, or phrase, insert capital letters, numbers, and special characters, and you’ve got a pretty secure password.

To be even more secure, consider adding two-factor authentication for any location where sensitive data is stored. It’s an extra step in the login process, but will significantly increase the security of their account and data.

3. Recognise phishing

You’ve probably repeated to your users to never click on links in advertisements sent to their email or posted on websites unless they check them first. There are a lot of tells, such as poor writing or grammar, complex or misspelled URLs, and poor layout that can be a key giveaway that an email is malicious.

But it turns out that there will always be someone who can’t resist opening an email, launching an attachment from someone they don’t know, or clicking on a link on a website – especially when it includes an enticing subject line. Which is why any educational efforts need to be supplemented with effective email security gateway and web application firewall solutions that can detect spam and phishing, validate links, and run executable files in a sandbox – even for personal email – to ensure that malicious traps simply do not get through to an end user.

4. Update devices and use security software

Users should have a corporate-approved security agent or MDM solution installed on any device that has access to corporate resources. This software also needs to be kept updated, and device scans should be run regularly.

Similarly, endpoint devices need to be regularly updated and patched. Network access controls should be able to detect whether security and OS software is current, and if not, users should be either redirected to a remediation server to perform necessary updates or alerted as to the unsecure status of their device.

5. Monitor social media

Criminals will often personalise an attack to make it more likely that a victim will click on a link. And the most common place for them to get that personal information is from social media sites. The easiest way to prevent that is to simply set up strict privacy controls that only allow pre-selected people to see your page. Individuals wanting an open social media profile need to carefully select who they will friend. If you don’t know someone, or if anything on their personal site seems odd, dismiss their request. And even if the person is someone you know, first check to see if he or she is already a friend. If so, there’s a significant possibility that their account has been hijacked or duplicated.

Keep training messages short, clear, and regular

It is essential that you develop a comprehensive and effective security strategy for your users who have personal endpoint devices connected to your network. But don’t make the mistake of burying them in information. Break information down into easily digestible chunks. Provide a daily security tip. Post messages around the company, such as in the hallways or break room. Get the executive team to mention it in staff meetings. And provide checks, such as your own phishing emails, to help identify users that might need additional attention.




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Africa’s largest Zero Trust platform
NEC XON Information Security Commercial (Industry)
Africa has reached a significant cybersecurity milestone with the successful deployment of the continent’s largest Palo Alto Networks Prisma Access and Prisma Access Browser Zero Trust environment, supporting secure remote access for more than 40 000 users for a large enterprise in Africa.

Read more...
Supply chain attacks top threat over 12 months
Information Security
Supply chain attacks have become the most prevalent cyberthreat confronting businesses over the past year, according to a new Kaspersky global study, with nearly one-third of companies worldwide experiencing a supply chain threat in the past year.

Read more...
From vibe hacking to flat-pack malware
Information Security AI & Data Analytics
HP issued its latest Threat Insights Report, with strong indications that attackers are using AI to scale and accelerate campaigns, and that many are prioritising cost, effort, and efficiency over quality.

Read more...
NEC XON secures mobile provider’s hybrid identities
NEC XON Access Control & Identity Management Information Security Commercial (Industry)
For a leading South African telecommunications operator, identity protection has become a strategic priority as identity-centric attacks proliferate across the industry. The company faced mounting pressure to secure both human and non-human identities across complex hybrid environments.

Read more...
Microsoft 365 security is a ticking time bomb
Information Security
Across boardrooms and IT departments, a dangerous assumption persists that because data is stored in Microsoft 365 and Azure, it is automatically secure. This belief is fundamentally flawed and fosters a false sense of protection.

Read more...
Rise in malicious insider threat reports
News & Events Information Security
Mimecast Study finds 46% of SA organisations report a rise in malicious insider threat reports over the past year: reveals disconnect between security awareness and technical controls as AI-powered attacks accelerate.

Read more...
New campaign exploiting Google Tasks notifications
News & Events Information Security
New phishing scheme abuses legitimate Google Tasks notifications to trick corporate users into revealing corporate login credentials, which can then be used to gain unauthorised access to company systems, steal data, or launch further attacks.

Read more...
Making a mesh for security
Information Security Security Services & Risk Management
Credential-based attacks have reached epidemic levels. For African CISOs in particular, the message is clear: identity is now the perimeter, and defences must reflect that reality with coherence and context.

Read more...
What’s in store for PAM and IAM?
Access Control & Identity Management Information Security
Leostream predicts changes in Identity and Access Management (IAM) and Privileged Access Management (PAM) in the coming year, driven by evolving cybersecurity realities, hybridisation, AI, and more.

Read more...
The challenges of cybersecurity in access control
Technews Publishing SMART Security Solutions Access Control & Identity Management Information Security
SMART Security Solutions summarises the key points dealing with modern cyber risks facing access control systems, from Mercury Security’s white paper “Meeting the Challenges of Cybersecurity in Access Control: A Future-Ready Approach.”

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.