Clients often ask me what the top vulnerabilities are that they should be aware of.
They are expecting me to tell them about the latest Trojan and what kind of damage it does. But a Trojan or any other kind of malware is only destructive if it can get inside the network.
While we often find through penetration tests that the new clients are technically exposed due to outdated firewall firmware and outdated patches, these defects usually aren’t the direct cause of infections. The direct cause is normally a human who has not been properly trained.
Awareness training is key to any successful cybersecurity governance framework. The first training session, in my opinion, should revolve around the threats associated with emails. Specifically, all employees need to be able to spot phishing and malware attachment emails.
Management should ensure that both they and their employees:
- Are able to spot fake sender addresses;
- Distrust bad spelling or grammar;
- Do not click on strange url links;
- Are aware of tools like ‘virustotal.com’ to check authenticity of links (but do not use this to scan files!);
- Never share passwords with anyone;
- Are not afraid to ask IT to investigate a suspicious email; and
- Are tested from time to time with phishing tests and other methods.
Malware is harmless if it cannot get inside the network. Your employees need to see themselves as gatekeepers and an integral part of the cybersecurity system.