The internet is like a big city with lots of amazing sights and many useful services—but also many shady areas and lurking predators. And the predators don’t necessarily stick to the bad parts of town: sometimes they come out to pick pockets on the nicest boulevards.
So far, our Corporate Security Awareness series has looked at how business continuity professionals can help their co-workers (and their organizations) stay safe when using non-workplace Wi-Fi networks, personal devices they may use for work, and email.
In today’s post, the fourth and final one of the series, we are going to talk about how BC managers can promote safer internet use and web browsing at their organizations.
Business continuity managers can and should play a role in advocating for safer policies in all of these areas even though direct responsibility for configuring technology, establishing policies, and training users in order to minimize the risks to the above areas lies outside the BC department. By raising the matter of internet security and safety with their partners in IT security and other departments, BC managers can raise awareness and promote the adoption of safer policies. As BC professionals we need to be just as concerned with the prevention of outages and issues as in responding to them.
Every organization, no matter how strong its shell of network security may be, has a soft underbelly of vulnerability. This underbelly is its community of human users.
In this article, we’ll set forth some of the issues surrounding safe browsing on the internet, both at home and at work. These are matters you should be aware of since each poses a potential risk to the business. You might also use this list as an opportunity to have conversations with your IT security department and others at your company to help move the organization toward a safer internet use posture.
Along with email, web browsing is a significant vulnerability to organizational data networks. With email, the threat comes to the person in the form of a deceitful email that arrives in their inbox. With web browsing, the user actively ventures forth into the World Wide Web, where they can inadvertently expose themselves to danger, even at the most reputable sites (as when ads on these sites have been secretly taken over by hackers). The person doesn’t even necessarily have to click something for a site to attempt to download a toxic payload.
Hackers have grown increasingly sophisticated in recent years in devising what are known as socially engineered attacks on company networks. In the case of so-called “phishing” attacks, hackers send out emails to multiple recipients that are cleverly made to appear as if they come from trusted websites. But this is more than just an email problem. Seemingly reputable websites can contain spyware or the site itself can be a phishing site – one that poses as a real website in order to trick the user into a scam, or worse. Sometimes, just opening the page can trigger the attack.
Generally speaking, the sketchier the website the more likely it is to contain a nasty hidden infection. But even the New York Times website was unwittingly tainted by an advertisement containing malware. The ad was placed by hackers who falsely represented themselves as national advertisers. People who clicked on the ad inadvertently downloaded a poisonous payload.
Given this environment, the critical importance of organizations becoming aware of internet and web browsing dangers – and training their users to avoid them – becomes obvious.
In such a risky environment, what can people – and organizations – do to reduce the chances of having their sensitive data stolen, or having it encrypted so they can’t access it unless they pay a ransom to the hacker?
The two most important security precautions you can take are to make sure that your browser is up to date, and to make frequent backups of your data that are then physically separated from your network. We’ll talk about both of these precautions below, along with a few other interesting wrinkles to the web-browsing security picture.
Update Your Browser
There is one piece of encouraging news to the browsing-security story. Browser makers are working hard to keep users’ computers safe. They keep close tabs on new bugs that have been unleashed, and write patches and security updates to try to make their browsers impervious to those bugs. However, their efforts will only benefit you if you keep your browser updated with the latest patches. Keeping browsers up to date is one of the most important things an organization can do to protect its network.
Some users think updates are primarily a matter of getting new bells and whistles. They might be satisfied with their browsing experience and resist changing it. The really important part of most updates is the changes made to keep out malware that has surfaced since the previous update. Users should be educated about how important it is to the network’s security to keep their browser up to date, and organizations should automate the browser update process as much as possible.
One challenging issue we’ve seen in this area is that some organizations are restricted in their ability to use up-to-date browsers. This commonly happens because they are using specialized applications that are critical to the company, but which are so old they only work on older versions of the browser. Cost is usually the factor that keeps these organizations from updating their tools or applications, and performing regular updates is a project that is frequently kicked down the road. The use of outdated browsers creates a significant, ongoing security hole for these organizations. The best thing they can do until they are able to update their systems is to be extremely diligent about backing up their data and then to immediately separate each completed backup from the network, to prevent it from being contaminated in the event of an attack.
Another way to reduce the chances of getting in trouble is to stay to the well-lit thoroughfares of the internet. As previously stated, this is no guarantee that nothing bad will happen to you. However, the best-known sites are generally safe, as are the sites most people would typically need to visit in order to do their jobs. Sketchier web pages such as adult sites and file sharing sites have a higher risk of being infected. Most workplaces prohibit the use of these sites for other reasons, but this has a definite additional benefit in terms of reducing the network’s exposure to potential malware threats.
In general, users should be trained to tune in to the details of the web addresses of sites they go to or are considering visiting. Hovering on a link typically shows its address at the bottom left corner of the screen. Users should be taught to inspect these to make sure they go to trusted sites. People should be on the lookout for sites whose addresses are similar to those of well-known sites, but which vary in subtle ways (for example, goog1e.com rather than google.com). Such addresses might have been socially engineered by hackers to snare the unwary.
Speaking of paying attention to small details, organizations should also teach their employees to look twice at the security information displayed at the left side of the browser address window. Addresses beginning in “http://” are not secure. Those beginning with “https://” are secure. What does this mean, exactly? Unfortunately, not as much as you might think. It means the data on the webpage is encrypted, preventing its being spied on by lurking third parties. However, it is no guarantee that a site is free of malware. Still, all things considered, encrypted sites are safer to use than unencrypted sites. By showing which sites encrypt their pages, browser makers are trying to encourage more web publishers to use the “https://” protocol.
Blocking the display of pop-up windows might also reduce exposure to malware. Setting your browser to prevent the display of pop-ups can be done in the settings or preferences window. You might also consider disabling autofill features and the use of internet cookies, though these features are popular and widely used.
Regular and Frequent Backups
In the end, however, no matter how effective your policies and training are, organizations should look at the possibility of being infected by malware as a matter of when not if.
This being the case, all organizations should have a rigorous program in place for the regular and frequent backup of their data. Whether the backup is to the cloud or to hard storage on company premises, the backup should be disconnected from the network as soon as it is complete to protect it in the event of a subsequent contamination of the general network.
Having a recent, secure back-up available is the same thing as walking around the city with only a few dollars in your wallet. If someone picks your pocket, it might ruin your afternoon, but the long-term impact will be slight.