Enlist your staff in your IT Security team

Most organisations we support do not have the resources to employ dedicated cyber staff.  They ask us to protect their devices, network and data from the most common internet based threats.

The biggest threat to an organisation is still email.  Email was never intended for secure communications.  The original inventors were more concerned in getting the sent messages to arrive correctly rather than any security implications.

Email can be a risk on 2 fronts:

The common feature here is that both risks involve your staff.

We are hard wired to be be helpful.  When an email comes in from the CEO asking for help to buy gift cards for clients, staff are naturally inclined to assist. They do not think to interrogate the email to see where it has come from and whether it is genuine.  Likewise, if a staff member gets an email saying their account is about to be deactivated the natural inclination is to click on the link.  Or if that really important client has sent them a document via a file transfer system, again they want to get the job done and download the file so they can get to work.

Unfortunately all of these methods are exploited by third parties. Some result in user details needing to be reset; some in third parties getting access to business information and some can result in reputational damage, costing non profits donations and businesses work.

So what can be done?

Data leak prevention (DLP) is one way to stop confidential information leaving your organisation.  This can be implemented using Microsoft 365 tools.  Features such as Sensitivity Labels and DLP policies are available depending on user license to stop information from being sent outside.  Egress (Egress Intelligent Email Security: Anti-Phishing, Data Loss Prevention & Encryption) can ensure any emails being sent that do need to contain confidential data are encrypted and only opened by the designated recipient. This can plug into Outlook and gives users the option to encrypt emails as they are sent.  It can also deal with large file attachments preventing users having to opt for services such as WeTransfer and uploading business data to third party sites.

Filtering systems can be implemented to reduce the risk of fake emails getting into users’ mailboxes.  These are now driven by AI engines that adapt as threats evolve but prevention systems are always playing catch up with the criminals who invent newer methods of breaching the security systems organisations depoly.

There is no substitute for Staff Security Awareness Training (SAT).  Ensure staff are trained on the threats that exist; what they mean to the organisation and how the staff can take an active role in keeping your organisation secure.  This should be done on induction and then at regular intervals, at least annually depending on the size of your organisation and its attitude to risk.

Training can be done through formal sessions or by sending test fake emails to staff on a regular basis.  Those that are caught by an email are sent to an online training resource to show them how to spot items in the future.  We recommend Sophos Phish Threat for this purpose.

To help with keeping your organisation secure you can download a Sophos anti phising toolkit here.  This includes a poster for your breakout area, a Powerpoint presentation that can be used in staff training sessions and helpsheets for spotting phising emails.

You can also use the free Google phising quiz here in your training.

If you need any assistance with getting your staff enrolled in your security team, get in touch with us today.

 


Back to homepage