Security and IT teams know all about the dangers of cybercrime, phishing, business email compromise and malware, and they know the importance of practicing good cyber hygiene. But how well do the rest of your staff know and practice the basics of safe computing? How widely known and used are basic security practices in your organisation? In this guide, we outline 11 essential things all your staff should know and should be doing. It is essential they adhere to the following key points.
Don’t Let Others Use Your Work Computer
In many environments, whether it’s hotdesking or a request by a regular colleague to “just send a quick email”, the number one sin is allowing another person to use your work computer, especially unsupervised. It might sound strange to some – ‘why would you ever do that?’ – and not to others – ‘he sits next to me every day, he’s trustworthy’ – but the fact is unauthorized physical access to your computer puts both you and your organization at risk. There’s a reason why we all have our own account passwords, and that’s not only to protect the company but to protect ourselves.
Always log out when you’re not at your computer, and if someone else does have a legitimate reason to use it, have them log in via their own or a guest account – never yours – and supervise their use.
Don’t Insert Unknown USBs
Another tried-and-tested trick, and still a regular way that penetration testers and criminals open backdoors or load malware onto a network, is the simple malicious USB device. Companies should be using device control, but if they’re not then employees need to practice such control themselves. Any unknown removable media should either be given to IT for clearance first or plugged into a separate air-gapped machine running a trusted anti-malware solution.
Don’t Click Links or Attachments Without Inspecting Them First
Phishing through links and attachments in emails is still by far and away the most common infection vector for ransomware, backdoor trojans, cryptominers and other forms of malware. Inspecting links and files before you click on them is like washing your hands to prevent transmission of a coronavirus, only the advice is not just to do it ‘frequently’ but do it always.
To inspect a link, hover over it with the mouse to see whether it points to where you expect it to; copying the link and pasting it in your browser rather than executing it directly in your email client is also a useful habit to get into.
To inspect a file, save the file locally, making sure the file extension is what you would expect. Your endpoint should also be protected by a reliable security solution that can recognize and block malicious files on write and on execution. If opening the file results in a request to enable Macros, decline the request and contact your IT or security team.
Don’t Skip 2FA or Reuse Passwords
For criminals, passwords are a passport to your – and your company’s – most sensitive assets. While some organizations are starting to move away from relying on passwords, the day when they won’t be the main way to authenticate a person’s identity is still far away. Credential theft is high on every attacker’s agenda, but there are simple steps that you can take to plug this hole for the vast majority of attacks.
First, enable 2FA or MFA on all accounts that support it. Short-time code generators like Google and Microsoft Authenticator should be in use wherever possible. On top of that, use a password manager to ensure you are generating unique passwords for each account to limit the damage of a breach, and sign up to a service like Firefox’s breach notification for all your email addresses if your password manager does not include a similar feature.
Don’t Use Open Public WiFi Hotspots
While we all need internet service while on the move, you should use your phone’s service provider and tether your laptop to its Personal Hotspot when not at home or the office. Public Wifi is inherently insecure because it allows anyone else using the same network to sniff your traffic. If for some reason you cannot avoid using an unprotected public Wifi, ensure that you are using encrypted mail, messaging and browser tools to limit what an attacker can learn from your networking traffic. And never, ever, conduct things like payment processing or banking while connected to a public WiFi hotspot.
Don’t Mix Work and Play
Your work devices should be mandated by company policy as for nothing other than work tasks, but if not – or you’ve ignored that policy – you should immediately separate all work and personal computing activities and data. This is not only for your company’s protection but for yours also. Most companies will have a No Privacy policy for any data or activities on your work device.
Don’t Transfer Company Data To Personal Devices
Just as important as not conducting personal business on company-owned property is the inverse of using your personal devices to conduct company business. Never store sensitive (or, ideally, any) enterprise data on your personal device, which almost certainly lacks the same security, encryption and oversight as your workplace computer or smartphone. Your personal devices, for example, may contain insecure applications or device settings which could make your company’s data vulnerable to theft.
Conclusion
Enterprise security isn’t rocket science. The vast majority of breaches occur because one or more of the above practices have been ignored. Giving threat actors a hard day at the office doesn’t require a degree in cybersecurity, just awareness and practice of basic principles that apply whether you’re working remotely from home, in an open-plan cubicle space or in the corner office on the top floor.
Discussion about this post