It’s not surprising that the #1 resource to keep your organization safe from cyber attacks is….your employees! Your employees are your main line of defense against hackers.
Cyber attacks can destroy your business. It’s important to invest in your best line of defense: your employees. Engaging your employees with education while protecting their mobile devices and endpoints could be the most important piece of your security strategy.
How to Keep Your Organization Safe From Cyber Attacks
Since an ounce of prevention is worth a pound of cure, at Cybriant, we always recommend having the right people, products, and processes in place to combat hackers. Our all-in-one cybersecurity service, PREtect, has all the tools you need to maintain a positive security posture.
By engaging your employees in understanding the importance of being aware of potential cyber threats, you are already ahead of the game. In fact, Reddit user mustaffaofberne had an interesting concept that helped take their “users who fall for phishing attempts” count down to zero.
After years of training, reminders, examples and such that users have basically ignored, the IT department stumbled on a trick that seems to work. About 9 months ago a user submitted a ticket questioning a suspicious email, and IT replied telling them “good job, you get a star!”. An email was sent out to the entire company letting everyone know about the phishing attempt and that the user had been awarded a star (the emoji of a star, nothing else). Since then, users have been reporting every phishing attempt, bragging about how many stars they’ve gotten, debating about how stars should be able to be traded for pay raises or at least Schrute Bucks. It is literally just an emoji in an email, but everyone tries to get them.
It’s a great idea to get your employees involved and rewarded when they discover phishing attempts. Here are additional ways to keep your organization safe from cyber attacks by using corporate policies and best practices.
Keep Your Organization Safe from Cyber Attacks: BYOD Policies
Bring Your Own Device (BYOD) policies are becoming more prevalent as employees are demanding the choice of phone and reduction in the number of devices they need to carry. But with the popularity of BYOD, you may not be completely prepared for the security problems that arise with the increase of mobile devices.
Consider a Mobile Risk Assessment to get a baseline understanding of the risk facing your mobile users. Mobile devices present a uniquely challenging landscape for security professionals and businesses alike. Cybriant’s Mobile Security Assessment considers every avenue and aspect in which risk may present itself and provides recommendations to address these challenges.
Corporate infrastructures have been venturing into the BYOD (Bring Your Own Device) world for years often without knowing it. Conditional restrictions often are not in place to prevent access to corporate data such as email, SharePoint, calendaring, corporate contacts, etc. And even in cases where conditional restrictions may exist, the usage of mobile threat defense software may not be present or utilized on the device.
However, companies will often stringently safeguard their corporate laptops and desktops with MDR solutions, SIEM agents, and vulnerability management solutions. The duality in approaches to BYOD devices versus corporate-managed is perplexing due to the fact that they often can access the same confidential data albeit without similar safeguards. With the recent string of major vulnerabilities discovered in both the Android and Apple iOS ecosystems, it should be obvious that any device that can access corporate data is a legitimate avenue for attack.
Consider our Mobile Threat Defense to protect your mobile users.
Employee Security Awareness
With a little training and a lot of awareness, you and your employees can keep your organization safe from cyber attacks and prevent thieves from accessing your financial data, customer records, and proprietary information.
Drill yourself and your employees in the following practices, and you will take a giant leap forward in protecting your company. All of these guidelines are actionable without buying any additional software. Make it clear that you are practicing these guidelines yourself and you are likely to get buy-in on keeping information safe.
Passwords on Work Computers
Passwords are your greatest point of vulnerability. If a malicious person obtains a password, your entire network is at risk.
Here are some best practices:
- Keep your passwords to yourself. Don’t share them with coworkers, family, or friends. Don’t even share them with the company. No company communication of any kind will ever ask for your password. If you receive such a communication, notify the appropriate security person immediately.
- Do not use the same passwords for work and personal email accounts.
- Use passwords that no one could guess but that you can remember easily. Never write them down and don’t send them in an email. Use the guidelines for creating exceptional passwords below.
- When websites ask if you want to have your password remembered, select “no.” A cyber attacker on that site could get your password and then get into your work email account.
- If you notice unusual activity or suspect your password is no longer secure, change it immediately. Do not just add a “1” or an “a” to the end of it. Create a brand-new password.
- Change your passwords every three months, even if you don’t notice any suspicious activity.
Techniques for Creating Exceptional Passwords
A password should contain eight characters or more and should use special characters that are neither letters nor numbers, such as exclamation points. Also, use a combination of uppercase and lowercase letters.
- Use a passphrase instead of a password. Select a phrase that you can remember, such as, “I never learned how to swim.” Add punctuation that you can remember as well.
- Replace words that describe numbers with the actual numeral. “I was 7 when I first rode a horse.”
- Create acronyms. Take the first letter of the words in a phrase to make a password. “I was seven when I first rode a horse” becomes “iwswifrah”.
- Try secret codes. Create your own rules, such as adding the dollar sign to numbers or following capital letters with a percent sign. This example might look like this: “I% never went to public school until I% was $5.” This is just an example. Create rules you can remember.
Security on Mobile Devices
If you use a smartphone or tablet to access your work files and services, use passwords on these mobile devices, and preferable two-factor authentication. Mobile devices have become a hot topic regarding how to keep your organization safe from cyber attacks. Not only are mobile devices susceptible to being lost or stolen, but we also tend to click on more phishing attempts on our mobiles vs. our employer-owned devices.
Use different passwords on mobile devices than you use on laptops or computers.
Check your device’s security or setting features to see if you have the ability to use any of the following:
- Lock or Timeout: Set the amount of time you want for locking out any user. This is a good safeguard for those times when the device sits idle–such as when it has been lost or stolen.
- Passcode for Unlock: Require a password to unlock the mobile device.
- Fingerprint Reader: Some phones and tablets offer fingerprint recognition. Using this option helps prevent access even if someone has stolen your password.
- Data Erase: Set your device to erase all data after a predetermined number of log-in attempts.
- Remote Locate and Wipe: Some mobile units not only allow you to locate them through GPS (Global Positioning Systems), they also allow you to erase all data using a remote computer.
Email Best Practices
Staying alert when handling email can prevent many cyber security breakdowns. Make sure your employees follow these best practices regarding email:
- Log out of your email account when you are not using it. Leaving it open and unattended creates opportunities for hackers.
- If you have the ability to create your own email address, make it complex.
- Tell someone about any suspicions you have regarding email hacking, even if you are not sure.
- From time to time, select new security questions.
- Don’t put your password anywhere on the internet, including cloud services.
- Keep password clues to yourself. Sharing clues to your password can be as dangerous as sharing your password.
- Treat attachments from unknown senders as off limits.
- Look at the list of people receiving your email when you use “reply all.” Any suspicious addresses could be someone trying to get your email address.
- Use a junk email account to sign up for special offers. Don’t give out your work email address to random sites.
- Report spam, don’t respond to it. Contacting a spammer can make you vulnerable and get you on a list of people they regularly contact.
- Install the updated versions of your email program and browser. The latest versions often have new security features built in.
Some con artists try to get your information through phishing emails. These are official-looking emails that ask for information such as passwords, account numbers, or other information that could make access to company accounts easier.
You are often urged to act quickly to resolve an issue, and in doing so, you may provide log in codes and other company access secrets. The sender is trying to scare you into giving out vital information.
Below is an example of an actual phishing email.
Fri 3/18/2016 3:00 AM
This message was sent with high importance.
Dear (Your Company Name) Email User.
You have exceeded its mailbox set limit by System Administrator and you will have problem in sending and receiving emails until you increase your mailbox quota.
Click here to increase quota.
Otherwise, you will have limited access to your mailbox. if not updated within 12hours your account will be permanently closed. Click here now
Here are some reasons you should immediately be suspicious of this email.
- The name of the sender is unfamiliar. The person has no official title or contact information.
- The email does not have the company logo or any other branding information. (It most likely does not look like other company emails in terms of color or format.)
- The signature does not list a person but instead gives a vague department the recipient probably never heard of.
- The threat of closing the account is unrealistic,
- There are often spelling, grammar, or punctuation errors. (In this case, “12hours” is not spaced correctly and “if” should have been capitalized.)
- Clicking on any of the links will take you to a page where secret information is asked for.
Never comply with these emails, and do not click the links. If you do click the links and discover your mistake, report the incident immediately.
Most importantly, never respond with any log-in information, account names, numbers, or passwords. No company will ask for such data in an email.
Read more, “Cybriant CTO: Analysis of a Phishing Email“
Locking Devices When You’re Away
If you leave your computer open while going to lunch, or leave your phone on your desk when you go to a meeting, you are allowing anyone who passes by to have access to your device. Think about this: since you are already logged in, they won’t even need your user name or password to see the information.
Lock your device when you leave it, even for a few moments. Don’t rely on the device’s automatic locking feature. It could take too long. Anyone who touches your keyboard can keep your computer, phone, or tablet from timing out.
To lock a Windows computer, hold down the Windows key and the L key at the same time. As an alternate method, Press CTRL, ALT, and DEL keys and hold them down. Choose the Lock option on your screen.
When you want to lock your Mac OS X device, hold down Control, Shift, and Eject (or Power) keys.
Locking your devices does not mean you are suspicious of coworkers; it means you are security-conscious and recognize that you are responsible for the data you possess.
Security When Working Remotely
Employees who work remotely must take extra precautions to remain cyber-safe.
If you log in to your company system through a VPN (Virtual Private Network), you can access the same data you have access to at work. However, if your computer has spyware, you could inadvertently expose company information. Spyware allows an outsider to transfer information from your hard drive. For that reason, you should never access the company network from a computer that lacks virus and spyware protection.
Secondly, your Wi-Fi access should be password-secured. If you don’t require a password to access your Wi-Fi, any neighbor or passerby who snoops around in your wireless signal can see everything you are doing online. Don’t use public WiFi for work communications. Hackers routinely search public WiFi for computers they can break into.
Finally, when you have a choice, use WPA security for your wireless network. This is a very high-level type of security.
Cybriant’s CTO recently created the “Remote Workers Guide” at the beginning of the COVID-19 pandemic when we were forced to move our operations to a remote environment. Download it to see the best practices and policies we used at Cybriant to maintain top-level security while working from home. Click here to download the Remote Workers Guide.
Your employees are the best resource to keep your organization safe from cyber attacks. Gamifying your cyber protection as in the example above, where the employees received ‘stars’ when they reported phishing is a great idea. But for more ideal cybersecurity solution that will help you sleep at night, consider a 24/7 security monitoring services like PREtect that monitors your SIEM, endpoints, and even manages your patch and vulnerability scanning. Learn more here: https://cybriant.com/pretect/