How many times have you heard phrases like: "Your employees are the weak link in your cybersecurity ", "Employees are the major access point for cyber attacks ", etc.? You know, this doesn't have to be the case. On the contrary, your employees can be your company's greatest security asset. That is, of course, if you train them properly in cybersecurity policies and practices.

Find out how your employees can be the weakest link in your cybersecurity chain, and how you can turn them into your strength.

The role of employees in corporate cybersecurity

Although companies in Switzerland and around the world are constantly protecting their data from hackers, the greatest cybersecurity threat remains the human factor. Indeed, human error is almost at the root of all reported data breaches.

Hackers target frontline employees and sometimes even the most diligent CEOs with highly sophisticated and often personalized attacks. For example, the company's LinkedIn profile and website contain a treasure trove for a spear-phishing attack. It's all there: e-mail addresses, domains, employee relationships and the CEO's agenda, for example.

These details make it easier for hackers to create a credible point of contact to exploit. For them, unsuspecting employees represent an easy target, but it's the keys they hold on the corporate network that are the ultimate objective.

These are just some of the reasons why the human factor threatens corporate security. In addition to phishing and social engineering, there are also viruses and malware such as ransomware, or the accidental loss of equipment used at work (telephone, computer).

Are employees really the weakest link in the cybersecurity chain?

Before taking any action, companies need to ensure that their employees are part of their cyber planning to strengthen their resilience.

All the evidence suggests that employees are always at the forefront of cybersecurity issues. However, it must be stressed that employees' lack of awareness of corporate security is the responsibility of the organization's culture. Because if you make your employees aware, they will be your most important line of defense.

How can you make your employees the driving force behind your cybersecurity?

1. Educate and train your employees

Do your employees know your company's cybersecurity policies? Are they familiar with password best practices? Do they have unique identifiers that they change regularly? Are they aware of the latest cyber threats, such as malware and phishing attempts? For example, do they know what to do when they receive an e-mail designed to look like their supervisor's? The first step is to raise employee awareness and provide ongoing training on cybersecurity issues.

2. Set up password policy

Employees often prefer simple passwords that they can easily remember, but this should not be practiced.

Implement 2FA authentication for an extra layer of protection. In addition, to ensure that employees generate or create strong passwords that even they can't remember, provide them with password management tools that allow them to store and quickly access their accounts with the added security feature. Also, it's not just about having strong passwords, but changing them frequently. Here's another step you can take to protect your company's security.

3. Use of data and the Internet

Ensure that clear rules are established when employees are connected to the company network. Establish policies that guarantee the protection of company data. Firstly, make it clear that business e-mails must only be used for work purposes, and that personal e-mails must be restricted.

Secondly, storage devices such as external hard drives or USB sticks should be prohibited, unless they are supplied and/or analyzed by the company.

In addition, unless it's necessary for work, you can restrict employee access to websites that aren't important, such as social networks or online video streaming. This will help employees avoid going to fraudulent websites that could potentially break into your network.

4. Invest in a security solution

Today, malicious software (malware) exploits advanced techniques to bypass network security tools and equipment. The effects on a company can be disastrous, especially if the malware is ransomware that locks your computer and prevents you from accessing it until you pay the ransom.

To guarantee your cybersecurity at the highest level, EVOK partners with several suppliers of the latest security equipment, including Palo Alto NetworksJuniper Networks and Fortinet.

Our certified staff are able to draw up a security strategy that reflects the constraints of your profession. Our equipment secures your applications, protects your identities, and detects and prevents advanced threats, even in encrypted traffic. They use cutting-edge technologies such as Machine Learning, which can detect variations in threats, predict the next stages of an attack, and implement protection in near-real time.

To remember

So keep in mind that all companies are potential targets for data breaches. Hackers don't care about your industry, sales or number of employees. They're only interested in the data you possess, and will stop at nothing to get their hands on it. That's why, as a company, it's incumbent on you to have a solid data confidentiality strategy, even when it comes to your employees.

Social engineering is a term used to describe a wide range of malicious activities carried out through human interaction. It uses psychological manipulation to induce users to commit security errors or give out sensitive information.

By understanding social engineering attacks, and recognizing that true protection against them requires both people AND technology, you can protect your organization from the consequences of these types of practices.

What are the most common types of social engineering attack?

Here are some of the most common social engineering techniques:

Phishing

Phishing is the most common social engineering tactic.

This is done by means of an e-mail, a website, an Internet ad or a video to incite its victims to act. The people behind the attack may pose as a bank, delivery service or government agency, or they may be more specific and appear to come from a department within the victim's company (human resources, IT, sales...). By the way, phishing e-mails, which often look innocent, include a call to action. The victim will be asked to click on a URL, which will then take them to a fraudulent website containing malware.

Although even the most unsuspecting users are aware of this practice, it continues to wreak havoc. All the more so as cybercriminals are making much greater efforts to ensure that they are well-designed and unsuspected.

Phishing variants include Spear Phishing, which targets a specific demographic, such as employees of a particular company or CFOs in a particular industry. There's also Whaling, which targets executives or high-level employees.

Baiting

Baiting is another fairly common form of social engineering. It consists in luring the victim with a tempting offer (free music or games). The attacker hopes that the password used to log in and obtain the free digital gifts is a password used on larger sites. And if it's unique, the attacker will still be able to sell it on the dark web. In the corporate world, a baiting attack is most likely to consist of a USB key left in a common place. When someone finds it and plugs it into the company network to see who it belongs to, they download malware.

Pretexting

As its name suggests, "pretexting" is a form of social engineering in which the attacker presents a pretext to gain the victim's trust. The attacker may pose as an investor, HR representative or other "legitimate" source. This type of scenario generally plays on the victim's emotions, using a sense of urgency or the element of surprise.

How to counter social engineering?

To overcome social engineering threats, it is essential to focus on both the human and the hardware/software side.

Let's start with the human side, which is the point of attack for cyber criminals specializing in social engineering! With this in mind, security training remains the best way to avoid falling victim to an attack. As part of their security awareness programs, organizations should continue to remind their employees of the following common practices:

• Never click on links or attachments sent by people you don't know.
• Always check the web address of legitimate sites, even if it means typing it into the browser manually.
• Check for spelling mistakes or inappropriate domains in a link (for example, an address that should end in .gov ends in .com).
• Never give out their username, password, date of birth, financial data or other personal information in response to an e-mail or phone call.

Let's move on to the technological side! It is imperative to :

• Keep your anti-malware and anti-virus software up to date to secure your network and data.
• Adopt a preventive IT maintenance approach that analyzes the structure and behavior of web pages to identify potential threats.

And above all, keep up to date with all the latest developments in cybersecurity by becoming a regular reader of our blog ;-)!

In Switzerland and around the world, cybercrime is on the prowl, threatening your IT security. Organizations of all sizes need a cybersecurity plan in 2023. For small and medium-sized enterprises (SMEs), the need is even greater, as cybercriminals have increasingly turned their attention to smaller organizations in recent years. This is evidenced by the fact that incidents targeting companies with fewer than 1,000 employees will increase by almost 200% by 2022.

Luckily for you, you're in good hands! EVOK has put together the ultimate checklist for solidifying your cybersecurity in 2023. To this end, our blog post will focus on risk areas and opportunities for improving the security of your operations.

Which threats jeopardize your cybersecurity?

Before we get to the checklist, it's important to understand what dangers you're facing. For SMEs in particular, here are some of the cybersecurity threats in 2023:

1. Ransomware. A type of malware that encrypts a victim's data and demands a "ransom" to restore access to files and the network.
2. Phishing. This is a type of social engineering. It aims to trick users into bypassing normal cybersecurity practices and disclosing sensitive data such as usernames and passwords, bank account information, social security numbers, credit card details, etc.
3. Incorrect firewall configuration or absence: There's no need to demonstrate the importance of the firewall to your cybersecurity in 2023. Correct configuration and maintenance of your firewall are essential to your network's security.
4. Your employees can be the weak link. Lack of investment in resources translates into a more lax environment. Most employees still use easy-to-guess passwords to access company accounts. Some are unable to spot the danger signs in attacks.

The checklist to solidify your cybersecurity in 2023

Define strict password policies

Strict criteria for employee passwords will prevent unwanted access. Try the following to establish and maintain strong password policies:

• Use multi-factor authentication (2FA) for enhanced account protection.
• Require organization-wide password changes on a regular basis, or when a data breach occurs.
• Prohibit employees from sharing their login details.
• Use password generators to guarantee password complexity.
• Use encrypted password managers to store passwords securely.
• Require employees to use different passwords for each account.

E-mail restrictions

Email is one of the most common points of entry for cybercriminals and malware. The first step is to choose the right e-mail hosting provider. If you're based in Switzerland, you should opt for an e-mail tool that's hosted entirely in Switzerland. If you are, for example, a municipality, a nursing home, a medical practice or a financial institution, you need to comply with the Swiss Data Protection Act (Art. 18 al. 1 LPrD). EVOK offers you Hosted Exchange® hosting, 100% Swiss and under Swiss law, with replication on a geo-cluster in our Fribourg and Lausanne datacenters.

And don't forget to use spam filters, message encryption and antivirus software to prevent threats from reaching their targets.

Multiple layers of protection

Also known as multi-security or defense-in-depth (DiD), the idea here is to adopt a layered approach to security with intentional redundancies - so that if one system fails, another immediately takes its place to prevent an attack. Maintaining multiple layers of protection includes the following:

• Use antivirus software and run scans after software updates.
• Install firewalls and intrusion protection systems on your network.
• Use a virtual private network (VPN) to secure your company's Internet traffic.
• Analyze all your company's data to detect suspicious behavior.

To find out more about network security, take a look at ourIT audit offer.

A field of IT that involves designing, building, deploying and maintaining cloud-based IT solutions, cloud engineering is not just a trend in 2023, but a reality. Put simply, this technology enables remote access to IT resources via the Internet, without having to store them locally on one's computer.

In this blog post, we're going to talk about the various advantages of cloud engineering and the many trends it will be adopting this year.

The benefits of cloud engineering in 2023

As you've probably guessed by now, cloud engineering is one of the key technologies of the 21st century, enabling businesses to benefit from the many advantages of cloud computing, such as cost reduction, flexibility and scalability of information resources:

1. Cost reduction: thanks to the cloud, companies can reduce the costs associated with purchasing, maintaining and upgrading on-premise IT infrastructures. They can also save on the energy costs associated with operating data centers.
2. Scalability: Cloud resources can be easily adapted to demand. This means that companies can increase or reduce their storage or data processing capacity according to their needs.
3. Remote access: In the wake of the pandemic and the shift to a hybrid mode of working (remote/office), the importance of the cloud has become all the more pronounced. It enables employees to work remotely from anywhere, at any time, accessing their applications and data via the Internet.
4. Security: Cloud providers generally have security measures in place to protect their customers' data and applications. Companies can therefore benefit from high levels of security without having to invest in costly security infrastructures.
5. Innovation: Cloud engineering enables companies to innovate faster, because they can easily test and deploy new applications without having to worry about the costs or constraints of setting up an on-premise IT infrastructure.
6. Availability: Cloud providers generally offer high levels of availability for their services, enabling businesses to benefit from 24/7 service continuity.

Cloud engineering: trends to watch in 2023

Cloud engineering is constantly evolving, adapting to the needs of businesses and consumers alike. In 2023, we foresee several important trends for IT professionals working in cloud engineering. Here they are:

1. Widespread adoption of Infrastructure as a Service (IaaS): IaaS enables companies to lease IT resources, such as servers, storage and networks, from cloud providers rather than buying and maintaining them themselves. This approach enables companies to reduce costs, gain flexibility and adapt quickly to fluctuations in demand.
2. The explosion of artificial intelligence (AI) in cloud engineering: AI is increasingly used in the cloud for applications such as data analysis, voice recognition and fraud detection. Cloud providers are offering AI services such as image and voice recognition engines, chatbots and advanced data analysis tools.
3. Growing adoption of multi-cloud: Companies are increasingly adopting a multi-cloud strategy, i.e. using several cloud providers for different tasks or applications. This enables them to benefit from the advantages of each provider, such as security, scalability or cost.
4. The growing use of containers: Containers are isolated runtime environments that enable developers to deploy applications more easily and quickly. Containers also enable companies to reduce costs and increase efficiency by using shared resources.
5. Security, security, security: Security is a major concern for companies using the cloud. Cloud providers are constantly working to improve the security of their services, but companies also need to take steps to protect their data and applications.

To sum up, cloud engineering remains a constantly evolving technology that offers many opportunities for IT professionals. By following current trends, companies can benefit from the flexibility, scalability and economic advantages offered by the cloud.

File sharing and corporate security: What you need to know

File sharing is an essential aspect of enterprise collaboration, enabling teams to work together efficiently and exchange information quickly. However, understanding the security implications of file sharing is crucial to protecting your company's sensitive data.

Table of contents

• 1. Assess the risks
• 2. Choose a secure file-sharing platform
• 3. Manage access rights
• 4. Encourage the use of strong passwords
• 5. Raise employee safety awareness
• 6. Make regular backups
• 7. Monitor file-sharing activity

1. Assess the risks :

Before choosing a file-sharing solution, assess the risks your company may face. Identify the types of sensitive data you'll be sharing, and assess the possible consequences in the event of a security breach. This will help you choose the right file-sharing solution for your needs.

2. Choose a secure file-sharing platform :

Choose a reputable, secure file-sharing platform. Look for features such as encryption of data in transit and at rest, granular access controls, security audits and malware protection measures. Also make sure the platform complies with current regulations, such as the RGPD.

3. Manage access rights :

Grant appropriate access rights to users to limit file visibility and modification. Implement authorization controls based on the roles and responsibilities of each user, so that only authorized people can access sensitive files.

4. Encourage the use of strong passwords:

Make it standard practice to create strong passwords for file-sharing accounts. Strong passwords should be a mix of letters, numbers and special characters, and it's a good idea to change them regularly. In addition, consider multi-factor authentication for enhanced security.

5. Raise employee safety awareness:

Security awareness is essential to protect shared files. Train your employees in security best practices, such as verifying recipients before sharing files, identifying phishing attempts and managing passwords securely. Encourage caution when sharing files outside the company network.

6. Make regular backups :

Don't forget to regularly back up important shared files. Backups enable data to be recovered in the event of loss, system failure or cyber-attack. Make sure your backups are stored securely, and test their restoration regularly.

7. Monitor file-sharing activity:

Set up a monitoring system to detect any suspicious or unauthorized activity linked to file sharing. Tools for monitoring activity logs and reports can help to quickly identify potential security breaches and take appropriate action.

Migrate safely to the cloud with our best practices

File sharing is a common business practice, but security should never be overlooked. By following these tips, you can minimize risks and protect your company's sensitive data when sharing files. Make sure you choose a secure platform, manage access rights, raise employee awareness and actively monitor file-sharing activities to keep your business information safe.