8 Cyber Security Tips Your Employees Need to Practice in the Workplace
Incidents of cyber crime are escalating at an alarming rate.
It is estimated that the global cost of cyber crime will top $2 trillion in 2019. And it’s not just large companies and government institutions cyber criminals are after. In fact, it is small business that have become the favourite target of cyber criminals. According to Verizon’s 2018 Data Breach Investigation Report, 58% of malware attack victims are categorized as small businesses with over 70% of cyber attackers deliberately targeting small businesses.
Among the many factors that contribute to data breaches, 27% are caused by human error—employees who unwittingly respond to malicious emails or fall victim to other types of malware attacks. So, while people are a company’s biggest asset, they can also be an organization’s largest security vulnerability.
The key to reducing this vulnerability is training and educating your employees on proper computer and information security.
Are your employees putting your data at risk? Keep reading to learn the top IT and cyber security tips all your employees should know (and follow)!
Top Cyber Security Tips You Should Be Teaching Your Employees
- Create Strong Passwords (lots of people had dogs named Chester)
- Use Multifactor Authentication (an exponential increase in security)
- Learn to Recognize Phishing Scams (cut the bait and run!)
- Be Cautious of Software Downloads (always question a free lunch)
- Use Multiple Lines of Communication (it’s nice—and safe—to hear a voice)
- Don’t Ignore Application Updates (they’re more important than you might think)
- Stay Off Public WiFi (use an envelope, not a postcard!)
- Beware Social Engineering (don’t let them in your head!)
One person’s weak password has the potential to compromise not only an entire organization’s data, but also the data of the company’s clients, suppliers, and partners. So it’s amazing how many people use totally vulnerable passwords. Every year, SplashData publishes a list of the top 100 worst passwords, and every year, passwords like 12345, 123456, 12345678, and “password” all top the list.
Your company (and its employees) need to be smarter than this. Come up with passwords that are at least eight characters long—the longer the better. Encourage employees to choose something specific to them (but not their name). Add numbers and at least one special character in the middle. Stay away from pet names, children’s birthdays, and other things that may be posted on employee’s social media profiles—the bad guys will be looking for this. Follow these simple best practices and your company be way safer than most.
Pro Tip: With so many passwords to remember, consider using a password manager like LastPass, 1Password, or Keeper.
The more barriers put in place, the more difficult it will be for hackers to infiltrate your data infrastructure. That is the idea behind multifactor authentication, or MFA.
MFA combines two or more independent credentials: what the user knows (like a password), what the user has (like a security token), and what the user is (a biometric verification like a fingerprint).
MFA creates a layered defense that makes it more difficult for cybercriminals to get into targets like computing devices, networks, and databases. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.
Standardizing multi-factor authentication across all of your company’s platforms should be a priority.
Some examples of MFA are:
• Swiping a card and entering a pin.
• Logging into a website and being asked to enter an additional one-time password (OTP) that the website’s authentication server sends to a phone or email address.
• Swiping a card, scanning a fingerprint, and answering a security question.
Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company asking users to provide sensitive information. If deceived, an employee could grant the attacker access to all sorts of valuable data—so it is essential to teach your employees how to spot such an attack.
Here are a few things the IT department should train your employees to be on the look-out for:
The Displayed Name in the Email – a name displayed in the “from” box does not guarantee that this is the sender.
Suspicious Links (Don’t Click!) – If the web address you see when you hover over the link doesn’t seem to match the sender, be careful. And be wary if an email directs you to a website asking for a login, as this is the main way the bad guys will steal valid login credentials.
Spelling or Grammar Mistakes – if it doesn’t look or sound right, it’s probably not legit.
Odd Salutations – if the contact usually address you by your first name but the email greets you as “Valued Customer” or “Important Client”, send up a red flag.
Request for Sensitive Information – if asked for information you wouldn’t be comfortable with sharing, pick up the phone and call a known number to verify the request.
Implied Urgency – this scare tactic is designed to get you off-kilter and reply when you normally might not. If someone is threatening to stop a service without an immediate reply, stop and think about it and contact your tech nerd.
Images that aren’t Quite Right – if the images or layout of an email seem a bit off, it’s likely an attempt to fool you.
Suspicious Domains – many malicious emails use a domain that is close to the legitimate domain, but not spot-on. For instance, someone could use Capital0ne.com instead of capitalone.com to try and pull the wool over your eyes.
Non-Standard Attachments – if the attached file is not one you recognize (like .doc for a word file, .xls for an Excel file, or .pdf for a PDF file), be suspicious.
Most people naively believe that software downloads are safe as long as the software itself is from a trusted brand.
In truth, these downloads can pose any number of security risks. What is important to understand is that where a program is downloaded from is just as important as what is downloaded. The internet is full of sites that offer free versions of many recognizable paid programs. But these downloads can contain trojans, spyware, worms, viruses and other types of malware.
To reduce the risk, limit downloads to business machines where possible. Make sure all to run all downloads through antivirus and spyware programs. Put together complete download protocols and make sure your employees understand them. Emphasizing this information security to your employees is all part of instilling a culture of cyber security throughout your company.
Malicious emails don’t always come from strangers. They can appear to come from friends and trusted colleagues.
If anyone sends a request for sensitive information like a routing number or login information, contact the sender on a separate platform to confirm the request. If the request comes by email, call the sender to make sure it’s valid.
The constant reminder windows can be annoying, but they shouldn’t be ignored. These software updates are an important part of maintaining the security of your applications and software.
Hackers know the vulnerabilities of out-of-date devices, so companies need to keep up to date with all the latest patches. Many employees believe that application updates are optional or unnecessary. The truth is, they’re not. They are an important line of defence against new types of attacks.
The work world is changing. Not all employees work from the office. Some work from home and many spend much of their time on the road. Restaurants and cafes have become meeting venues and work spaces. And this means connecting to public WiFi.
The problem is connecting to public WiFi at a hotel, restaurant, cafe, or airport is unsafe! Malicious worms or other forms of malware can transfer from one device to another if they are connected on the same network.
However, sometimes there is no way around it. If your employees must connect to public WiFi, insist they use a Virtual Private Network (VPN) to secure their connection. A VPN encrypts data where the public hotspot does not. Without encryption, when information is sent over the net, it’s like sending a postcard. The mail delivery person can easily see the information it contains. If this person is a bad actor, you can get hacked. On the other hand, when users make a VPN connection, it’s like the postcard is put in a sealed envelope. No matter how hard the mail carrier squints while holding it up to the light, they won’t see what’s in it.
Social engineering refers to a broad spectrum of malicious activities using psychological manipulation to trick users into giving away sensitive information. Perpetrators are particularly patient, waiting in the weeds, collecting data and background information on their intended victims. Then they gain the victim’s trust and provide seemingly harmless reasons for their victims to give up sensitive information.
What makes social engineering so dangerous is that it preys on human error, much more of a wild card—and much harder to track—than taking advantage of vulnerabilities in software and operating systems.
Social Engineering bad guys try to get at users through human psychology and preying on curiosity. It’s important to go into all cyber-situations with your eyes wide open because only the users and employees can counter these attacks.
Here are several tips employees can keep in mind to protect themselves (and your business):
• Do not open any emails from untrusted sources. Sound advice under any circumstances.
• If an offer seems too good to be true, assume it is.
• Lock your laptop whenever you are away from your workstation.
• Make sure your antivirus/malware software is up to date.
• Be vigilant about cyber security.
Keep Your Company Information Secure
Cyber security needs to be everyone’s priority, but it isn’t everyone’s forte. Education, imparting these computer and cyber security tips to your employees, and regular training are essential in creating a culture of cyber security in your workplace.
And if you can’t do it on your own, there is always a Nerd ready to help out! Contact us today for more information on cyber security best practices for employees.