Perhaps unsurprisingly, internet security has taken a bit of a back seat in recent years.
With the rise of more direct attack vectors such as phishing, organizations seem to feel that the ‘old fashioned’ threat of malicious websites should be lower on their priority list. And that’s understandable… but not advisable.
In fact, with phishing getting all the headlines, it’s easy to forget that unsuspecting employees can easily introduce serious threats such as ransomware into your network just by browsing the wrong sites.
Training your employees to practice safe browsing behaviors is easier said than done, but if you follow these guidelines you’ll be well ahead of the curve.
Training Isn’t a Cure-All
First off, no matter how much you invest in training, you can never pass on the responsibility for network security.
Sure, you can enlist the help of your employees, and provide them with the tools and training they need to navigate the web safely, but ultimately the responsibility still falls on you.
If you take this responsibility seriously, it means ensuring that every possible measure has been taken (budget permitting) to ensure your employees are not in a position to damage the network. Clearly, it isn’t possible to fully realize this vision, but if you aim for it you will get a lot closer than you would otherwise.
It’s important to realize that no matter how good your training is, somebody will make a mistake in the end, whether it takes months or just a few minutes. But if you have a high-quality security infrastructure in place, the vast majority of these mistakes will automatically be addressed.
We’re talking about measures like tight spam filters, endpoint security systems, and disabling MS Office macros by default. If you’re taking these types of measures as a matter of course, the number of opportunities for employees to make costly mistakes will be greatly reduced.
Train Them to Be Watchful
One of the big problems with security is that people don’t typically think about it as they go about their business.
For most people, the Internet is an extremely useful, often amusing or offensive platform that can be browsed with impunity. Clearly, as security professionals, we know that image is entirely false – There are lots of things on the Internet that are far from harmless.
The first step in Internet security training, then, is simply to convince employees to remain watchful while browsing the web. Your employees must realize that the Internet is not a play zone and that there are literally millions of compromised websites out there.
Don’t believe that? Well, as of Q1 2016, Google blacklists a whopping 70,000 websites for phishing and malware abuses every week.
At that rate, they’re blacklisting over 3.6 million websites each year.
Clearly, your employees need to hear these figures, and you need to convince them that unsafe browsing behaviors are almost always guaranteed to catch up with them in the end.
Spotting the Signs
Once your employees understand the Internet isn’t the playground they thought it was, teaching them to spot the signs of malicious websites is a good next step.
Of course, some of the most common tactics (e.g. drive-by downloads) should be easily prevented by global network security settings. Nonetheless, employees do have the ability to cause significant damage through unsafe browsing behaviors, so your Internet security training program should always cover the biggest giveaways of malicious sites.
Some excellent topics include:
- The difference between secured and unsecured connections (HTTP vs. HTTPS)
- Anything on-page that seems odd or inconsistent with site branding
- Misspelled URLs
- Automatic downloads or requests to download content such as codecs
Identifying malicious websites can be extremely difficult, even for security professionals, so it’s not reasonable to assume your users will be able to do so with 100% accuracy. It is, however, possible to drastically improve their detection abilities, enabling them to leave potentially malicious websites much more quickly.
Regular testing is an excellent approach to tackling this problem, along with providing additional support to employees who score poorly on routine tests.
Providing the Tools and Techniques
In addition to training, your employees need access to the best tools and techniques for identifying malicious websites.
For instance, modern web browsers are often able to perform automatic checks for certain malicious indicators, so ditch the outdated browser that came bundled with your operating system and choose something more appropriate.
And this isn’t just about software or hardware. Little tips like checking the destination of embedded links before clicking on them can be huge for your network security. Modern threat actors are skilled and thorough, and often the link URL provided is the only thing that gives away their real intent.
If In Doubt, Shout (Don’t Click)
At the end of the day, your employees must be willing to ask for help if they’re unsure, and help must be available quickly.
And it doesn’t matter if they’re unsure about a website, an email, or anything else… It only matters what they do about it, and the best possible thing for them to do is to seek help from a security professional.
But if employees start to realize that calling for help means 10 minutes of hold music, it won’t be long before they give up altogether. If instead, they’re able to quickly run a particular website or application by your support team before continuing, suddenly you have more control over their behavior.
Perhaps the most annoying thing about the persistent myth of employees not caring about security is that it assumes they are totally unwilling to participate no matter what we as security professionals do. In reality, though, it’s our fault if employees don’t care, because we’ve failed to make them care.
Taking a proactive approach to Internet security training means doing everything in your power to educate and support employees to consider security as they go about their daily business.
And if you do that, you’ll find they’re much more willing to engage with your security awareness training program.
If you’re planning to revamp your Internet security training, we’d love to help. Security awareness training is a core element of our service offering, and we know exactly how to deliver training that changes employee behaviors.