Cybersecurity awareness is an increasingly hot topic, especially during this year’s Cyber Security Awareness Month. There are many things individuals and organisations can do to improve their awareness around security, helping to protect data confidentiality. In this blog post, we will discuss some essential tips for securing your data coming to the end of this important month.
One of the easiest ways, I find, is to increase your awareness of current threats is to stay up-to-date with the latest phishing scams and social engineering techniques through social media. Generally, phishing scams will target current events, meaning that it is important to recognise that government and nationwide services are likely to be prime targets. For example, during the Covid-19 pandemic, a high number of vaccine-related phishing texts were reported which preyed upon people waiting for official NHS contact instructing them to book vaccinations. I am immediately suspicious of any texts relating to critical services such as this, including any government contact.
This heightened state of awareness implores me to dig a bit deeper into any communication of this nature, paying closer attention to things such as email domains, linked websites, grammar and strange ASCII characters. Furthermore, I also apply this mindset with regard to any potentially sensitive services, such as contact from banks or my place of work. Essentially, my default state of mind with any communication that invites me to click a link or reply with personal information is suspicion, almost adopting ‘guilty until proven innocent’ approach.
People can begin to adopt this frame of mind by keeping updated with current events, especially ones local to their country. Knowledge of the pretexts that attackers may use will help identify potentially malicious communications, allowing further inspection to be carried out. The same should also be applied to technical vulnerabilities relating to software and hardware. People should be aware of the devices and applications they utilise in their day-to-day life and the vulnerabilities that are disclosed for them. Further to this, security updates to personal applications and software should be applied immediately once available to reduce individuals’ threat landscapes.
Businesses can introduce awareness for employees and technical staff in several ways. It is recommended that employee security training be conducted, especially in regard to social engineering attacks, given that employees would be the primary attack vector. The amount of training required can be assessed with regular social engineering assessments such as phishing, vishing and physical intrusion assessments, which Pentest People can carry out using modern techniques. Technical staff can improve their awareness by first ensuring a detailed asset register is in place, using a software asset management product.
Once the patch level of all software across the estate is determined, research can be conducted to determine any vulnerabilities in outdated software and appropriate patching put in place. Technical staff should also make an effort to stay in the loop about recently released vulnerabilities through formal channels such as Microsoft security bulletins and informal channels such as social media.
Finally, vulnerability scanning can be conducted to increase awareness specific to an organisation’s estate, allowing insight to be gained into specific vulnerabilities but also the areas in which vulnerabilities may arise in the future.
Coming to the end of cyber security awareness month, it’s crucial for businesses to digest all the information they have learnt about the safety of cyber security and how to ultimately protect their businesses. Hopefully this blog summarises some key pointers over cyber security awareness month that businesses can adapt and introduce into their workplaces. Here at Pentest People, we provide a wide range of services to help mitigate the risk of a cyber attack occurring to ultimately protect your business.