Developing blockchain solutions since before it was cool and I'm in Auckland, NZ
It’s all too easy to feel superior to the rest of the world when you work in IT day in and day out. And it’s easy to judge “the common people” for falling victim to cybersecurity scams that your highly trained BS radars would flag in a hot second.
Losing patience with the business users at your company is understandable. The truth is, I do it all the time with my clients.
You thought clicking on that banner ad and then installing that app was a good idea? Really?
But I’m working on getting better at keeping it all in perspective.
One thing that’s helped me a lot in this regard is reminding myself that I was once naïve, too. Maybe you’ll find this exercise in perspective as helpful as I’ve found it to be. It’s all about finding the right entry point for remembering your own vulnerabilities. Maybe you fell for the old “I’ll trade you my nickel for your dime and you’ll win because the nickel’s bigger” routine. My cousin still owes me five cents for that one. Or maybe you got duped into passing a note to the wrong person, blowing up a romantic scandal in the tender middle school years.
Getting back to actual cybersecurity talk, my point is this – even the most experienced IT professional would feel a wee bit unsure of themselves in a hospital operating room, or even behind the controls of an InstaPot. Despite what you might believe about your IT prowess, you weren’t born knowing how to avoid scams and sidestep security breaches. You might have learned these things a long time ago, but you still had to learn them, just like everyone else does.
So let’s look at this from a human perspective, and send a little love – as well as some good, common sense technical solutions – out to the great unwashed. Love matters, people, even in the world of cybersecurity. And yes, software helps, too.
By now most email users know there is no Nigerian prince waiting to send them a pile of naira. There’s really no excuse for falling for that one – feel free to act a bit superior there. But nowadays, phishing scammers are doing their homework to lay ever more sophisticated traps.
Corporate phishing, whereby a scammer might infiltrate the company system by impersonating the boss, is booming; the Better Business Bureau reports that instances of this type of scam tripled in one quarter alone last year. A friend of mine – a smart, internet-savvy friend who just started a new job at a data intelligence company – called me in a panic the other day. She fell for it, responding to a request from her “boss” to send Amazon gift cards to new “partners,” to the tune of $2000. She was devastated.
When it happens, keep it in perspective. Wouldn’t you step and fetch to an email from your boss asking you to send a check, or sensitive data, or anything else to someone ASAP?
Given that the phishing scammers are stepping up their game, it’s up to you to respond in kind. Instead of training your team to identify phishing emails by sending them all the same simulations, you can use Hoxhunt’s AI-powered simulations to send employees personalized messages, using the real names of people they correspond with and rewarding them for their educational progress.
Image source: Hoxhunt
Stand-alone training seminars are nice and all, and they make the boss feel good, because they are “proactively addressing the problem.” But they don’t teach in real time, when the employees least expect it. And that is the key to learning what phishing really looks like, and how to avoid being the guy standing at the register using his company card to send a bogus money order.
It’s hard enough keeping control of company laptops, tablets and phones. Now you have to worry about the fridge in the kitchen that automatically reminds Karen when it’s time to restock her tofu, or whatever that stuff is she eats every day.
All of those IoT devices in the office – printers, entrance locks, thermostats, even coffee machines – typically come with super lax default security systems to make them easy to set up. And super lax means higher risk of infection from malware.
Image source: SentinelOne
Don’t hate on that HR rep who “needs” to print applicants’ resumes from his personal Android phone. He’s only doing what comes naturally in our hyper-connected lifestyles. Instead, use SentinelOne endpoint protection to easily map all the devices on your network and make sure they’re all configured properly and safely.
Indeed, the age of BYOD is well afoot, and it’s not just remote workers who are using their own gadgets to get work done. Unless you provide company phones, tablets and the rest (and even if you do), you can bet your team is doing company work on their own devices. And increasingly, the same is true for software, given the popularity and ease of adoption for SaaS applications.
Line-of-business team members don’t “need” IT anymore to start using new apps, or to add new users onto a platform they’re already using. And while to you it looks like it’s being done in the shadows, outside your reach, remember that they only want to use the tools they believe will allow them to do their jobs most efficiently.
Instead of throwing shade, you can use Torii, a SaaS management solution, to receive alerts and trigger automated workflows when a new SaaS app is added to the mix.
Image source: Torii
Torii easily gets IT back in the driver’s seat when it comes to SaaS usage in your company. You’ll get at-a-glance insights into who’s using what, what it’s costing, what access permissions each app has, who’s on there that shouldn’t be, and where budgets are being wasted on empty seats.
SaaS is here to stay – even small businesses are using SaaS applications heavily nowadays, and spending is only growing. Take control of it, and then control the urge to throttle your end users.
“They’ll never crack this one,” your COO thought, only minutes after replying to a publicly available Facebook thread where everyone was sharing the names of their favorite pets (Fluffy, we gather) and their moms’ maiden names.
So yes, you could say that his accounts have been compromised. And because he uses this password it for all of his accounts, you’ve got a big headache. Weak passwords, and using the same password for multiple platforms, is deadly. For IT folks like us, this concept seared into our brains. But honestly, isn’t there just one aspect of your own life where you do this too? If not, my cap is off to you.
Still, we’ve all got work to do. And we all log into SaaS apps and other gated accounts day in and day out. Take your company’s password management up a notch and start using 1Password for Business.
Image source: 1Password
It takes the same kind of password management you probably already use in your personal world and expands it across the enterprise. No need to expect those feeble-minded cronies down in the bizdev department to memorize multiple super-secure character strings anymore. Just one meta login takes care of it all. You can also use the business version of this tool to manage groups and maintain an at-a-glance view of potential trouble spots.
Sure, two-factor authentication is a great way to maximize cyber-safety, but the fact is, it’s a pain. It’s an extra step in a day filled with extra steps. So when people at your company have the option to use password-based authentication only, they’re going to do so.
Instead of haranguing employees to be more vigilant, and shaming Tony in receiving for that little oopsie last month, introduce the team to 2FA solution Authy, to simplify 2FA and sync it across all platforms and devices. You can even use Authy to add 2FA layers to apps and platforms that don’t natively support this feature.
It has a great backup function that kicks in when phones get lost (like, every day), using encrypted data. So getting a new device up and working is no longer a massive headache.
Look, it’s a scary world out there. And there’s enough ugly going on already. Instead of scoffing, be kind. Start using the tools you need to empower your team protect the realm you share. We’ll all be a lot better off for it.
The author of this article has no business relationships with any of the products or companies mentioned therein.