Network Security – Why Security Awareness is Essential for Internal Threat Management?

Security awareness is often linked to anti-terrorism programs around the world but in the IT world we are referring to cybersecurity awareness. Many of you are already switching off, yawning and considering leaving this page but hang on a moment…

The subject may well have been harped on by management, consultants and IT teams and this instinctive reaction to tune out is down to poor implementation in the past. Advocates of security awareness are often condescending, are too technical or fail to link practical threat examples to real-world situations. Other failures include a lack of management buy-in. This “do as I say, not as I do” attitude has the opposite of the desired effect, no significant increase in security awareness and a growing employee resentment when management errors in this area are not penalized.

Be Aware of the Potential Threats

It’s not as simple as telling employees to stop clicking on links in emails and in social media, although this is part of it. Requests to reset passwords or requests to update online banking details are designed to gain logon info i.e. fishing for information. That’s why they call it phishing and there are many forms. Security awareness is not limited to computer usage but can extend to any form of social engineering – a term used to describe methods of hacking the user or company while avoiding technological countermeasures. Methods can include shoulder surfing (the ‘hacker’ simply gets required information by looking over an unsuspecting employee’s shoulder), dumpster diving (extracting printed documents from the rubbish bins outside) or indeed by gaining onsite network access (perhaps by joining employees who smoke outside and then entering the premises unobserved when they return). Employees who leave their phones or laptops unattended could unwittingly allow a hacker time to install a program that remains inactive until connected to the company network. There are many other examples of social engineering.

“Any security awareness training must include social engineering, as many of these threats do not require any IT or computer knowledge. The aim is the same, to gather information that can in turn be used to either hack the employees or the company network. For example, a discarded printout may contain names of senior employees that are then used to send convincing emails to all employees, perhaps requesting them to change their network logon credentials,” said Radosław Janowski, Product Manager.

Dispel the Myths

Hackers rarely have positive motives and are generally classed as cybercriminals, with their primary motives being either financial or disruptive. Ones that act on behalf of governments are after classified or proprietary data. Ethical hackers and security companies know their methods and produce countermeasures as new threats are identified.

Let’s start with some obvious facts that most industry experts agree on.

  1. Hackers will go after the easier targets and hacking the end user is a much easier prospect than hacking the technological barriers that are included in the modern network, whether it involves endpoint protection, AI-related analysis or any other security assets such as firewalls. In the same way, hackers will hack smaller companies as a means of eventually hacking their larger clients or suppliers. This means, YOUR COMPANY IS NOT TOO SMALL TO BE HACKED.
  2. Security awareness training takes take time and money and the potential benefits are sometimes ignored, especially by smaller companies.
  3. The age, sex or IT knowledge of the end user does not indicate an enhanced awareness of the potential threats or how they will be carried out. A BBC article focused on the on the results of a survey which indicated that British people aged 18-25 lacked cybersecurity awareness, using the same password for multiple services and sending sensitive data (including passport information) over email and messaging systems. detective inspector Mick Dodge, national cyber protect coordinator with the City of London police said: “Your email account is really a treasure trove of information that hackers won’t hesitate to exploit… You wouldn’t leave your door open for a burglar, so why give criminals an open invitation to your personal information?”
  4. Internal threats are much more difficult to handle than external ones, as most technological solutions are designed to block external network attacks.

As Przemysław Jarmużek, Technical Support Specialist at SMSEagle, pointed out: “Companies that ignore security awareness training are putting themselves at risk unnecessarily. Cost is not a barrier when free courses are available online. The inconvenience of losing an hour’s productivity each month is nothing compared to the time lost if data loss or network outage occurs. Not everyone is an IT expert and security awareness training must consider that. In addition, perhaps the most important aspect of security is that everyone who accesses the company network, whether on LAN or using Wi-Fi, needs to be aware of how hackers attack the user. In adopting a security-conscious culture, everyone at SMSEagle has mandatory awareness training and this includes senior management.”

In conclusion, if you take nothing else from this post, it is that security awareness is essential, a free course is available to all (I’m sure there are others) and that ongoing security awareness training is a must as new security threats are identified. It’s not necessary to spend hours per week on training. Instead make sure that all employees take the initial course for an hour or two then perhaps a half an hour each month will suffice, to advise everyone on new potential threats and to show the attempts that were made the previous month, even the common lottery winner alerts or other email scams. If you foster an “us vs. them” proactive attitude (against hackers) within your company, then every attack that is prevented will seem like a victory for all.

Michael O’Dwyer is a Hong Kong-based business and technology journalist, independent consultant and writer whose stories have appeared on Forbes.com, The Street, IBM’s Midsize Insider, HP’S Pulse of IT, Dell’s Tech Page One and other IT portals, typically covering areas where business and technology intersect. He writes for both US and UK audiences and acts as a technology and open source advocate. Twitter: @MJODWYERHK

The Best Way for Finance Companies to Improve Wireless Network Security

As finance companies deploy Internet of Things (IoT) solutions, they must ensure that connections and critical data are secure.

As finance companies continue to update security technologies, and make use of all types of IoT) solutions, there are more opportunities for network security breaches.

These technologies are used for all types of things—from everything like finding optimal locations for new establishments, to personalizing offers for customers, to protecting their own internal data. The potential for network security failure lies everywhere.

Among the financial industry, banking malware is common. According to SecureList:

In 2017, the number of users that encountered Android banking malware decreased by almost 15% to 259,828 worldwide. Just three banking malware families accounted for attacks on the vast majority of users (over 70%).

As banks and financial technologies adopt more connected devices like sensors, Bluetooth low energy beacons, IP-connected cameras and more to their information technology (IT) environments, steps to secure those devices and their data need to be taken.

The best way to ensure financial institution network security is a mix of strong encryption, segmentation and a willingness to perform penetration testing and replace connected devices regularly.

Reduce Device Security Load with Network Segmentation

Network segmentation is the practice of isolation different IoT devices. Segmenting these devices reduces the risk that one breached device will be able to harm other devices that are a part of the network.

Marc Blackmer, Product Manager of Industry Solutions for Cisco was quoted in CDW talking about the benefits:

“Existing best practices, such as network segmentation, will help take some of the security load off of these devices.”

Once devices are segmented, IT departments need to ensure that there is strong encryption across the board to protect against a breach.

Encrypted Devices Need to Span Across the Board

The same security tools used for wireless networks needs to get carried over to devices.

Yariv Fishman, Head of Product Management for Vertical Solutions and IoT at Check Point Software Technologies, tells BizTech how to eliminate potential attacks:

“Establishing an encrypted virtual private network connection between a device and the network helps eliminate potential attacks, such as ‘Man in the Middle,’ that compromise the integrity and validity of the information provided from the device to the network and vice versa.”

The mobile threat is real—In Verizon’s “Mobile Security Index 2018” report, 25 percent of those surveyed who work in the financial services sector reported that they have experienced a mobile-related incident and 18 percent said it was a major one with lasting repercussions.

Strong encryption, coupled with the willingness to replace existing IoT devices with new, upgrades will enhance. security protections.

Penetration Testing for