Employees have a big role to play in your cybersecurity.
When it comes to cybersecurity, businesses tend to focus on protecting their infrastructure and devices, which is essential in preventing cyber criminals from gaining access and bringing the business to its knees with ransomware and other malware attacks. But an important step for cyber security that’s often overlooked is ensuring that your employees assist with the defence against these threats.
Cyber criminals target businesses in a variety of ways, and targeting your employees is one of them, through emails, texts, voicemail, web downloads, and social engineering.
Many businesses also overlook the potential for offline attacks by office visitors and malicious employees.
All of the statistics show that incidents of cybercrime are increasing across the board, and this trend looks to be going only one way for the foreseeable future as attackers become more sophisticated in their approach.
While rigid and comprehensive IT security systems and procedures are a must for any business to combat this threat, it is also essential for employees to be educated in practicing strict and secure IT security habits to defend your business against them.
It only takes one cybersecurity incident to destroy a company’s operations, cash flow and reputation.
Prefer the more condensed version? Then click here to download this free Cyber Security Tip Sheet poster.
Rule Number 1: Keep a Clean Desk!
It makes sense and sounds simple, and it is imperative for data security, but it’s often overlooked.
A cluttered desk tends to mean USB drives, smartphones, and important, often confidential, data is a risk of being left exposed. Clutter makes it more difficult to spot if something important goes missing.
Keeping your desk neat desk makes digital and paper assets more secure, and has the added benefit of improving productivity.
Keeping a clean desk includes:
- Don’t leave computer screens on without password protection.
- Keep all documents with sensitive information in locked drawers.
- Don’t forget to shred documents before they are put in the bin.
- Close and lock filing cabinets.
- Don’t leave mobile phones, tablets, laptops or USB sticks out in the open
- Erase whiteboards notes.
- Keep bags and backpacks out of sight or in locked staff facilities.
- Don’t leave drawer/cabinet keys in the building overnight.
- Never write usernames and passwords on post-its.
- Don’t leave wallets, company credit cards or security badges out for anyone to access.
It’s also important to make sure that desktop and laptop devices are physically secure so someone can’t just pick them up and stroll away with your confidential data.
For those of you not working in the office, in places like airports and coffee shops:
- Make sure no one can see over your shoulder
- Never use public WIFI networks
- Keep an eye on your bag and your devices, never leave them unattended
- Don’t repeat sensitive information out loud when on the phone, there’s a chance it might be overheard
Phishing is primarily email threat employees need to focus on. Cyber criminals pretend to be a trustworthy entity via email in order to steal sensitive information including usernames, passwords and credit card details and more.
These attacks are becoming more and more sophisticated. They often masquerade as the company CEO (see employment fraud), a customer or a business partner. They are often well-researched and very convincing if you’re not on top of your game.
These attacks can include:
- Spoofing the sender address in an email so it appears to come from a trustworthy source, to request a transfer of funds or sensitive information.
- Installing ransomware and malware via email attachments.
- Embedding links to malicious or phoney website to extract sensitive information.
Recent years has seen a rise in sophisticated social engineering attacks. Cyber criminals research everything they can about your business, its internal structure, employees and customers. With the use of social media, there is a wealth of information that can be exploited in these attacks.
These attacks include:
- Obtaining company information over the phone by impersonating a company vendor or customer.
- Laying the groundwork of expectation for follow up email phishing attacks.
- Gaining access privileges to one or more of your systems, by pretending to be someone else (like your CEO or your IT provider!)
Protecting against phishing attacks:
- Always be suspicious of potential attacks, whether you know the sender or not. Ask yourself – Is this person asking for something from me?
- Never reveal personal or financial information or passwords in an email.
- Do not click on links in emails. Instead, visit the website yourself.
- Check the URL for every website.
- Any URL that does not end in “domain.ie” or have domain.ie before the first single slash is likely a fake. e.g. bankofireland.com.dummy.com/login is a fake.
- Check that any site you enter sensitive information into has an SSL certificate (e.g. https:// rather than http://). Also, consider if employees are practicing safe browsing habits.
- Verify all suspicious email requests. Contact the company they are from directly, with information not provided in the email.
- Make sure your software is up to date and that antivirus and malware protection are in place.
Properly managing your passwords to make sure they are secure enough also sounds like common sense, but again, it’s often either overlooked or under-implemented.
When passwords and usernames are weak, they are easier to break. Do not use passwords like:
- Series of numbers in numerical order (456789)
- Names (BrianM, basketball, HSullivan)
- Variations of the word password (password123)
And, do not use common usernames like:
Common mutations that brute force algorithms are well used to in users’ passwords:
- Capitalising first letter
- Combinations of upper/lowercase
- Replacing letters like e with 3 and a with @
- Placing numbers/characters at beginning and end of words
- Adding exclamation mark or full stop to the end
Inserting numbers randomly throughout your password is a good way to combat brute force attacks.
What your business password should look like:
- At least 12 characters
- Multiple uppercase and lowercase letters
- Multiple numbers placed randomly throughout
- Multiple characters +-=_*()&^%$£Q
To improve your business’s password security:
- Enforce strong password policy (Min. 12 characters that consist of combination of uppercase, lowercase, numerical and special characters)
- Only use unique passwords for each login
- Change passwords at monthly/quarterly intervals
- Do not use password auto-fill function on browser’s
- Avoid shared passwords
- Implement password management software (such as LastPass)
- Don’t use a browser’s auto-fill function for passwords
- Implement two-factor authentication where possible (most major services now support this, including the likes of Office 365, Google and Facebook)
Mobile Device Security
Device security is becoming more of a concern as more employees use company mobiles and tablets on the go and bring personal devices into the work environment.
Cloud services that enable remote working now often allow employees to connect to the business network remotely, through multiple devices which presents cyber security risks for the business.
Sensitive information is now accessible to employees in a wide range of new environments and situations so the likelihood of it accidentally being sent to unauthorised personnel is much higher.
With the huge popularity of mobile devices ever increasing, hackers are now targeting these devices with successful malware attacks.
Lost or stolen devices need to be wiped them as soon as possible to protect the sensitive business and personal information they can access.
Using unsecured public WIFI networks can also put these devices at risk of being hijacked by malicious users on the same network.
Simple steps for keeping mobile devices secure:
- Set a PIN.
- Utilise the option to wipe devices after specified number of unsuccessful login attempts.
- Setup disk encryption on your android and IOS devices.
- Use Find My iPhone/Android Device Management: There are several options available to help locate lost or stolen devices through GPS.
- Use antivirus and malware scanners and keep them up to date.
- Never use public WIFI networks.
Secure Web Browsing
Safe browsing is also an important part of cyber security. Here are some guidelines to help you promote safe browsing in the office:
- Only download information from website that are 100% trusted
- Avoid dodgy or suspected websites altogether
- Look for the https:// rather than the http:// on website so you know they are secure
- Even if a website has https:// be wary of downloading anything, a firewall without DPI-SSL cannot scan encrypted files
- Ensure the website you are on is the correct website and not a fraudulent site, check the domain name
- Don’t click on links sent to you via email. Instead, visit the website yourself through your browser and find the page that way
- Don’t click on pop-up ads
Cyber Security Tip Sheet
If you found these tips useful, why not download this free Cyber Security Tip Sheet poster for your office? And don’t forget, if you ever need assistance with your business’s IT support or IT security, our team can help.