Your security strategy should cover all areas of your business, including your employees and each department. Do you know which departments would be a higher risk to your business if they didn't have user awareness training? We've put together a checklist you can use to narrow down the departments that could be a higher risk to your business.
Section 1 - PC
1. Operating System and Software Updates - Is their software up-to-date?
Operating system and software updates should be made mandatory by your IT team, but if it's up to the user, check to see which departments ignore their software updates.
Software updates may include routine updates and fixes, but they also include vulnerability patches to help prevent your software from being exploited by cyber criminals. If any department ignores software updates, they can be putting your business as risk.
2. Do they leave their PC unlocked when they're away from their desk?
You may trust your colleagues, but locking your PC helps protect confidential documents, client information, and financial statements from unauthorised personnel - if PCs aren't locked when they're not in use, anyone could gain access to confidential documents.
3. Do they leave confidential information on their desk?
Depending on their role, confidential information should be filed and locked away when not in use to prevent it falling into the wrong hands.
4. Do they have a different password or use the same one for everything?
Most employees use the same password for multiple accounts, usually for both work and personal devices. Using the same password on multiple devices, websites and accounts makes it easier for hackers to obtain personal credentials.
5. Do they have MFA set up?
Having Multi-Factor Authentication (aka 2FA) set up provides an extra layer of protection to accounts and devices. If your employees haven't set up MFA, make sure they enable it wherever they can.
Section 2 - Remote Workers
1. Which departments remote work?
Remote workers are more likely to connect to unsecure WIFI networks in cafés, hotels and on-the-go. Data on these networks can be easily intercepted and stolen. In addition, viruses and malware are frequently distributed over public networks, making it easier for cyber criminals to gain access to your network.
2. Which departments bring their own devices to work?
Are these departments properly trained on cyber security? Modern technology allows us to use our own devices to easily access our work, but if your employees connect to unsecure networks, have their device stolen or accidentally download malware, your business will be at risk.
3. Are their emails on their personal phone?
If your staff have their emails on their personal phones, have they been authorised to do so? Do they have Multi-Factor Authentication set up?
4. Is their phone password protected?
Work phones and personal phones, (if used for work), should have at least a 6 digit passcode, fingerprint or facial recognition set up to add an extra layer of protection.
Section 3 - Emails
1. How many spam emails for they get?
Which department receives the most spam emails? Have they signed up to a lot of websites with their work email address? If they aren't sure where they've used their work email, it could be a potential security risk. Especially if they're using the same login details for more than one account.
2. How many phishing emails do they get?
Which department receives phishing emails - are they highly targeted or generic phishing emails? Does your spam filter remove them or are they getting through to their inbox?
3. What type of phishing emails do they get?
Traditional phishing emails are easy to spot due to the spelling mistakes and obvious fake email addresses - but Whaling Phishing emails can easily be mistaken for real emails if you don't know what signs to look for.
4. Do they ever click links or download files from unknown senders?
Test your departments with fake phishing emails to see how many click on links, download PDFs, or even reply to emails. Use a variety of phishing types from traditional emails through to newsletter mailouts so you can see if additional training is needed.
So, now you have your list to help get you started, you can begin narrowing down the weak link in your IT Security Strategy. When you have discovered which department is a potential threat, you can schedule Security and User Awareness Training to turn your greatest weakness into your greatest strength.
If you would like more information on how to find the weak links in your security strategy, or would like to organise User Awareness Training, please get in touch and schedule a free consultation with our security specialists.