External threats to data security.
Organizations today face a variety of external threats — whether that is through hackers looking to sell personal information online or competitors looking to get an analytical edge. Let's take a look at a few common threats that can lead to an unauthorized user accessing your organization's data.
Public Wi-Fi threats.
Accessing the internet isn't normally a problem when you're at the office. It's secure, easy to connect to, and relatively uncontested — unless, of course, the entire office has joined the same Zoom call. It's a different story outside of the office.
While Wi-Fi has granted us internet access in more places than ever, getting online isn't quite as simple or as safe as it is within your company's network. Public Wi-Fi raises a few concerns, including who is controlling the traffic, as well as who else is online.
Whenever possible, stick to well-known networks such as the official Starbucks network in one of their coffee shops. If you don't know which is the real one, ask an employee.
Fake public Wi-Fi networks, often posing in coffee shops as "free Wi-Fi," can leave end users vulnerable to entering information into non-secure public servers. Turn off AirDrop and File Sharing when you're on a public network around strangers. You'll want to cut off the features that allow for easy sharing. Turning off these sharing features on public networks protects the files on your own device, as well as prevents users from sending you files you don't want.
When you join a new network for the first time, it's important to know what you're agreeing to. Don't just skim over the terms and conditions — read them to check for any obvious red flags, particularly about the type of data they are collecting from you and what they intend to do with it.
Removable media.
Removable media is the portable storage medium that allows users to copy data to the device and then move it from one device to another. USB devices can be infected with malware and left for end users to find.
In 2016, the University of Illinois ran an experiment in which they left 300 USB sticks on the ground. 98% were picked up, and 45% of them were plugged into the individual's computers — and the users clicked on the files. If you are unsure of who has been using an external drive or where it has been, it's best not to plug it into your computer, especially if there is sensitive data on the device.
Social engineering.
Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to personal information. It is important to be well-versed on security awareness topics that cover the most common social engineering techniques, and the psychology of influence to combat these threats.
These malicious actors may use scarcity or urgency tactics to encourage you to act impulsively, or simply use urgent language. Another common social engineering tactic is the use of reciprocity — some might offer you a discount on a service or even a free product to lure you into giving them sensitive information. One common tactic used by hackers is to pose as a viable client, giving the employee incentive to provide the information they're looking for.
Increasing awareness of the threat of these tactics is critical in reducing the risk of social engineering.
Phishing attacks.
Phishing scams are one of the most common causes of cybersecurity breaches. Current research suggests that 91% of successful breaches are the result of a phishing scam. While phishing can take many forms, phishing emails and text messages typically tell a story to trick you into clicking a link or opening an attachment.
Once you know the signs, they can be fairly easy to notice. Most phishing scams will look like they're from a company you know and trust — like Netflix, for example. The scammer will even use the company's logo and header in the email, and sometimes even the sending address. The email will use a generic greeting such as "Hi there," rather than your name. This should be the first red flag. If you do have an account with the business, it likely wouldn't use a generic greeting like this.
The email may include messages saying:
- There's been suspicious activity or login attempts
- There's a problem with your account or payment information
- You must confirm personal information
- You're being offered a coupon or free product
Once you realize it's a phishing scam through one of these indicators, it's best practice to notify your email provider or relevant authorities before deleting or marking it as spam.
To protect yourself, install security software and keep it updated automatically — do the same on your mobile device. And at a minimum, ensure you're using an email provider with spam and phishing detection. In addition, rely on multi-factor authentication and back up your data via an external hard drive or secured cloud storage.
This concludes this section of Accountable security awareness training. You must answer the following questions to move on to the next section.