What if someone on your staff received a curt, unexpected email from a colleague asking them to read an attached memo? Would they open the attachment? You’d be surprised how many would do that without realizing they’re about to be phished.
Security Tools that Prevent Social Engineering
Phishing is just one of the security threats on an association IT department’s radar these days. In this post – the last in a series about security – I’ll share some suggestions for security tools that will help protect your association and its data from evil doers, both human and bot.
Last fall, the security company McAfee sent out a 10-question Phishing Quiz to more than 30,000 participants. 80% of them fell for at least one phishing email in the quiz. Moral of the story? You can have the best perimeter defenses, but one malware link clicked by someone on staff can let in an outside agent.
To minimize that risk, you can hire a company to provide social engineering training for staff. With your permission, these companies send phishing emails to staff. When someone clicks on a “bad” link, they are sent a 30-second video teaching them how to respond to these types of threats. If you do hire a social engineering training company, let your staff know what you’re doing and why; you don’t want to make them feel like they’re being punished or patronized.
Because everyone brings their phone and tablets to work these days, you need a mobile device policy and mobile device management software. Your policy should cover passwords, loss of devices, and consequences of lost devices (i.e., data wipes). Let staff know that if they want to access association data or networks from their phone, you must implement these security considerations.
2 solutions that also deserve a place in your security toolkit are:
- BeyondTrust, privilege account management and vulnerability management software – stops viruses and other threats by restricting the types of executables that can run on computers.
- OpenDNS, cloud-delivered network security software – provides phishing protection and optional content filtering.
To stay current with the constantly changing security landscape, check out the valuable information and tips about IT security from these 2 federal organizations:
- The U.S. Computer Emergency Readiness Team is a federal agency that provides weekly and monthly notices about security vulnerabilities.
- InfraGard, a collaboration between the FBI and the private sector to prevent hostile acts against the U.S., provides free access to its many resources.
Back in the office, make sure the IT department knows about all the technology platforms and vendors used by staff. For example, is anyone using Dropbox? Has there ever been a conversation with your website hosting provider about web app security? Dangerous communication gaps can result when a single person or department has the relationship with a vendor and the IT department is left out of the loop.
IT staff must review the access that every vendor has to your networks, systems, and data. They must have candid discussions with the providers of SaaS platforms and cloud hosting to learn about the vendor’s security policies.
IT security is a collaborative effort. IT staff doesn't need to completely lock down the fortress, but they do need to educate colleagues about security vulnerabilities and the reasons they do what they do.
Read our complete series on association data security:
- The IT security threat landscape for associations
- Finding the sweet spot for your association’s IT security
- Is your association’s IT security policy up to snuff?
- Security tools to protect your association against social engineering, and then some (this post)
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.
Flickr photo by elhombredenegro
