Maksim Kabakou - Fotolia
The first important thing to recognise is that people are a part of the security chain, be it at home or at work, be it physical or cyber security. But end-users should not be a key element of the chain.
The caveat, of course, is where a person is charged with undertaking security oversight, for example a CISO, an IT security manager, a building security officer or a home owner. In this case, their role is critical in both determining what security controls are in place and how those controls are configured and managed.
This group of people need to be properly trained and educated for their role and there is a range of BCS certified courses covering the cyber security area. Other groups also offer certifications in cyber security, including ISC2 (for example, CISSP and specialisations), ISACA and SANS.
Even with current good-practice technical security controls in place, it is likely that, once in a while, some form of socially engineered content will make it through an end-user. It is here that user education will help. For the home user, good advice is available from organisations such as Get Safe Online and the University of the Third Age. Companies can organise training and education in-house or by engaging an external security company.
But what happens if disaster strikes? After all, the malicious email or social media message made its way through all the in-place security controls. In that case, it is down to the IT infrastructure, how it is engineered and managed, and how comprehensive and effective the incident management and control procedures are.
What are the suggested good-practice security controls?
First, a comprehensive security gateway to the internet and other third-party networks that incorporates security proxies for email, browsing, file transfer, virtual private network (VPN) and/or mobile device handling and other activities. Never allow direct connection between a third-party network and the corporate internal network.
Second, put all Wi-Fi units on their own separate LAN or VLAN and ensure that the LAN/VLAN is firewalled on its connection to the corporate LAN. Incorporate security proxies as appropriate, or restrict access to the internet only. This is particularly important for private use of the internet by staff and guests.
Third, ensure that all server, PC, laptop and workstation operating systems are patched up to date, and the same for all applications.
Fourth, ensure that all network infrastructure devices – firewalls, proxies, Ethernet switches, load balancers, Wi-Fi units, printers and routers – are running the latest firmware.
Fifth, ensure that an effective role-based user authentication and authorisation process is in place and that file permissions are set to respect those roles. Absolutely no one should have universal access to all files. There is the ability to block access to files/folders and drives and to limit the type of access to files or folder (for example, to read only, write but not execute). Use this ability because it can help to restrict the spread of malware, such as ransomware.
The authorisation and associated roles should also be device and location aware, where possible, so that a user accessing the corporate network from an office PC would have wider accessibility than if the same user were out on the road accessing over the internet from a personal smartphone or a company laptop from a hotel room.