IT security in 2022 is a hot topic. Between big-name ransomware attacks, spear phishing, and rampant data breeches, businesses the nation and world over are now taking a critical look at their own IT security infrastructure. Many are finding holes and shortcomings in their security setups that were oftentimes invisible before, and invisible as these issues may be, they may well pose a big threat to businesses and their data.
But what are these invisible threats? And how can businesses overcome them?
We’ll dive into those questions as we explore the facets of one of IT’s biggest debates — do we, as business owners, prioritize IT security technology or IT security training (otherwise known as IT security awareness training)? While the two may sound similar on the surface level, the strategies, use-cases, and applications of each are very distinct. In this article, we’ll walk you through both IT security technology and training, to help you better decide which is the right call for you and your business.
Assessing Your Business
Before we can dive into analyzing the potential holes in your IT security infrastructure, you need to establish some key facets of your business’s digital makeup.
First, think carefully about your digital infrastructure itself. The specifics can vary a lot from business to business, but the most important factors in your digital infrastructure is its age, size, and complexity.
For instance, how big is your network? How many computers are hooked up to it, is your business a tech-heavy one or is it more pen-and-paper and old-fashioned? Or, how complex would you estimate your network infrastructure is, is it more barebones with only computers and printers connected, or do you have on-site data hosting with terabytes upon terabytes of files? Does your business run exclusively up-to-date software and operating systems, or do your servers still run on decades-old Windows XP or Windows 7? Exact specifications aren’t necessary for this step, just keep a general idea in mind.
Next, assess your employee base and their overall tech-savviness. Naturally, a tech-savvy workforce is going to be much more keen on cyber security protocol than those one that isn’t, so take some mental notes on the technical prowess of your team.
For instance, does your team trend older or younger? Older folks often have a harder time with cyber security protocol and technology in general. Additionally, do you have an IT team on-hand or in-house? If so, how many years of experience does each member have? Do you have a unified email system from Google or Microsoft, or does each employee of yours have their own independent email address?
Assessing the Risks
Now, we’ll contrast what you’ve briefly assessed about your business with some of the most common, most high-risk cyber attacks and security risks. Keep in mind what sort of security practices you and your team are already familiar with, and keep track of those which you or your team aren’t yet familiar with.
- Stolen passwords. Stolen passwords are, in the cyber security world, the oldest trick in the book. A malicious actor obtains one of your employee’s passwords, and uses that authentication to gain access to that individual’s computer, your wider network, a file storage service, or other sensitive resource. Who’s at risk? Stolen passwords area always an immediate threat, but can be mitigated by the use of two-factor authentication, secure and varied passwords, among other methods — business that do not use these are at greater risk of password theft.
- Phishing attacks. For years now, most run-of-the-mill phishing attacks never leave the attacker’s email hosting, or get caught by garden-variety spam filters. But that doesn’t mean the threat is neutralized. Phishing attacks have evolved in recent years, and now manifest in many more ways than simple emails. Between spear phishing, where bad actors target individuals with hyper-customized emails that are extremely convincing, and the rise of phone- and text message-based phishing attacks, they’re more dangerous than ever. Who’s at risk? Phishing attacks pray primarily on those less tech-savvy and those with poor attention to detail. Phishing attacks are often clunky in their grammar and appearance and demand for sensitive info from their victims — info experienced computer users know to never give away to a strange phone number or email address. But in the age of spear phishing, anyone may be vulnerable.
- Ransomware. Ransomware appears on your computer unexpectedly, complete with threatening message and frightening, sometimes morbid veneer that’s designed to scare you into compliance. This breed of malware will encrypt your files, rendering them unusable and unreadable, and will only decrypt them after you pay the (often exorbitantly high) ransom price. Who’s at risk? Ransomware can infiltrate a business in a number of ways, often through a malicious link, phishing attack, or social engineering. Additionally, those without constantly-updated offline or cloud-based data backups can find themselves in a dire situation when hit by a ransomware attack.
Making Your Final Decision
With both the state of your business and of the three most dangerous cyber threats in mind, let’s come to a more final decision. To help close this thought exercise, we’ll ask you a few broad questions and provide solutions to them depending on how you answered. Keep a running tally of points in favor of IT security technology, and points in favor of IT security training.
- Q: How modern and up-to-date is your business’s technological and cyber-infrastructure?
- A: If your systems are aging and getting slow, it may be time for an upgrade and/or security technology to help bolster your defenses — consider this a point for security technology. If not, and your systems are modern and secure, you’d do well to make sure they stay that way.
- Q: How tech-savvy is your employee base?
- A: If yours is a business where many employees are older, have less experience with technology, or that doesn’t demand the use of tech in its day-to-day, take down a point for security training. If it’s mainly staffed by younger and frequent computer users who are comfortable staying secure online, skip this question.
- Q: How much of your data is kept on-site?
- A: Any amount of large- or enterprise-scale data storage needs proper protection, take down a point for security technology if you have it. If you don’t have any mass data storage on-site at your office, skip this question.
- Q: How large is your business’s network? How many employees are hooked up to your network?
- A: Larger companies of dozens to hundreds of employees need proper data protection at that scale, yet the sheer number of employees present means many potential points of failure. Large companies, we recommend, invest in both IT security technology and training.
- Q: Do you hear employees chattering about not being able to remember passwords, or getting hacked? Has your business ever been digitally compromised before?
- A: These are both telltale signs of a need of security training. Those who often forget passwords are more likely to use very weak passwords, or write passwords down on pen and paper or a Word document — all very insecure password practices.
- Q: Have your or your IT team been approached about a strange Amazon charge? Or maybe a strange transaction from Netflix, Hulu, their bank or even the police?
- A: These are all names phishers prefer to operate under. If you’ve heard reports of charges or transactions like these that came out of the blue, it’s a sign you may need to incorporate security training to teach them the surefire signs of a phishing or scamming attack.
If you found yourself answering “yes” to the majority, or perhaps even a couple, of these IT security training or IT security technology questions, it may be time to start looking for one or both of them for your business. Look no further than the experts at CBS if your Colorado business needs any sort of IT training or technology — we’ve been in this business for over 25 years, and we’re certified experts at providing IT security support.