The biggest cyber security threat that businesses have to tackle is much closer than you’d think. Verizon’s 2022 Data Breach Investigations report – found human error to be a key driver in 82% of breaches, which is why it is crucial for businesses to address cyber security awareness in the workplace and ensure that employees are equipped with the right guidance and resources to help minimise the risk to the organisation.
When it comes to cyber security, engaging your workforce can be difficult, so focusing on simple but effective best practices is key. Here are 10 behaviours to encourage among your colleagues to best tackle rising cyber threats.
Be an Email Sceptic
According to Cisco’s 2021 Cyber Threat Trends Report, phishing is responsible for 90% of attacks. Social engineering tactics are designed to fool humans, so if we consider that human error is the number one cause of cyber incidents, it makes sense that methods like phishing are among the most popular for hackers. It’s therefore vital that business employees are wary of emails coming into their inbox and always err on the side of caution.
Advice for your employees:
If you receive an email asking you to click on a link, always check the spelling of the URL and the sender's email to see if it's genuine. It can also be wise to consider the language style of the email. If it has a tone of urgency or contains a lot of grammatical errors, you should be very hesitant about opening any links and attachments. If you suspect a phishing email, report it to the security team.
Use MFA
Using Multi-Factor Authentication (MFA) adds an additional layer of security, making it harder for an attacker to gain access. There have been cases where simply using MFA would have prevented an entire data breach. Companies should aim to standardise MFA across company platforms and accounts.
Advice for your employees:
MFA may seem like an inconvenience, but that extra step in the login process can make the difference in protecting your identity. You may have noticed that many public providers, such as Gmail, have implemented MFA on their service for most of their subscribers. You should use MFA wherever you can. It is also important to note that your MFA codes should never be shared with anyone, as attackers may also use social engineering techniques to trick you into sharing an MFA code to impersonate you.
Update Applications When Prompted
Outdated software is another attractive target for attackers. A patch management program is part of a mature security practice. Patch management should include all assets within the organization. The patching schedule should be planned in advance, and it should also allow for out-of-cycle patching processing for urgent patch releases.
Advice for your employees:
Cybercriminals often take advantage of out-of-date software, so update reminders shouldn’t be ignored. As an organization, it is important for us to periodically update the software and hardware that keeps the business running. This may create a slight inconvenience, but it is necessary to keep the business safe.
Patching is also important for your personal protection. For example, a recent flaw in the Apple operating system could allow an attacker to take full control of your smartphone. The only way to prevent this exploit is to update your smartphone with the recommended patch. These updates include critical security patches designed to address vulnerabilities that may otherwise be exploited.
Generate Strong Passphrases
The old days of unmemorable passwords has been usurped with passphrases. If your organization has not yet adopted a passphrase approach, there are still some standard practices that can protect the old-style passwords. Password complexity rules need not be the only protective mechanism. Your systems can be protected by adhering to strict password history, reuse, and reset requirements. Your company should have a password policy outlining password guidance and expectations. The policy should be read and acknowledged by employees, and should be part of the new employee onboarding process.
Advice for your employees:
Just as air-bags and seat belts can add to your automobile safety, you still must practice defensive driving techniques. Similarly, Multi-Factor Authentication is important to protect your identity, however, it is only one piece of a defensive security posture. While the expectation to create long passphrases, can be a source of irritation, it’s hugely important for minimising cyber risk.
Passphrases should be unique and never shared. Password managers are the most effective, inexpensive tool if you struggle with password creation or keeping track of passwords.
Beware of Public Wi-Fi
With the rise of remote working over the last couple of years, we’ve had to pay special attention to certain threats and introduce new security measures and best practices. The organization should have a tightly controlled Wi-Fi system, with a guest network for those who do not need to access company resources. Personally owned devices should be segmented from the corporate network, unless the device has met the organization’s security standards.
Advice for your employees:
If you’re working outside the office, you should be wary of the Wi-Fi networks you connect to. Free public networks are usually not particularly secure, since they don’t require any authentication to establish a connection. This means that malicious actors have the ability to intercept the data you’re putting out onto the internet, like emails, payment information, or credentials. These unprotected networks can also be used to distribute malware, compromising any connected unsecured devices.
If you’re working away from your company network, it’s best practice to use a Virtual Private Network (VPN) which will establish a secure, encrypted connection between your device and the internet.
Avoid Using Company Devices for Personal Use
Advice for your employees:
Allowing crossover between work and personal use on company devices is poor practice when it comes to security because the websites and applications you may use in your personal time may not rise to the standards set for the organization, which can put the company at risk if you’re on the company network. Therefore, it’s best to keep any online browning and social media activity to your own devices using cellular data, or the guest network.
Similarly, while social media might seem entirely separate from your working life, the information you disclose on these networking sites can be used by criminals in various ways which may indirectly affect you, as well as your company. For example, if you’re using the same credentials in multiple places, those other accounts can be compromised, giving bad actors access to corporate data.
Many cellular providers also offer free device protection, and that should be enabled on your personal device. Also, consider using a secure, privacy browser to further protect you.
Avoid Shadow IT
Shadow IT remains a challenge for many organizations. Employee education is only the first step in combatting this problem. Various tools exist to help prevent the use of data leakage due to Shadow IT use. All software and devices should be audited and approved, especially if the organization allows a BYOD policy.
Advice for your employees:
Shadow IT refers to the use of applications and other software that hasn't been pre-approved by your company’s IT department or provider. This is dangerous, as these may fall below security compliance standards. If you’re surreptitiously using any unapproved technology, IT won't have the visibility to be able to detect any threats that might surface. While having to seek approval for every application or device you want to use may obstruct productivity, if they aren’t secure, they can be risky for the whole company.
Always Lock Screens
Screen locks are a simple way to prevent unauthorized use, and potential privacy violations. Automated lockout times should be approved by senior management within the organization.
Advice for your employees:
Cyber security isn’t all about online behaviours. Whether in the office, or even at home, it's always advisable to lock your computer screen whenever you leave it unattended to prevent any unauthorised personnel from accessing your account and protect any confidential information.
Be Curious
Curiosity is one of the best motivators for everything. If you work to make your employees curious about cybersecurity, it acts as a force multiplier. The best way to accomplish interest in cybersecurity is through open, candid communications. Don’t allow the security knowledge to be hoarded as a specialized secret.
Advice for your employees:
Cyber security may seem like it’s just a job for your company’s IT team, but every employee can contribute to an organisation’s security posture. Take the time to speak to your IT team and find out what more you could know, and what actions you can take to keep your company, as well as your personal information secure. After all, your data is held within the organisation too, so it’s in everyone's best interest to do their part to defend against cyber attacks.
About the Author: Clive Madders is CTO and Chief Assessor at Cyber Tec Security. He works directly with businesses going through the Cyber Essentials certification process. With over 25 years of experience in the cybersecurity industry, he has built up an extensive repertoire, delivering managed ICT support services, Cyber Essentials certifications, and advanced security solutions to help improve the cybersecurity maturity of businesses across the UK.
Twitter: @_cybertec
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.