Your company’s cybersecurity is only as strong as its weakest link — your staff members. While internal breaches aren’t anything new, they are becoming more and more prevalent; it’s easier to manipulate people than machines.
And while this problem is easily identified, it’s hard to solve. A permanent solution would be to deny employees access to the web but this only makes it impossible for a company to function properly.
There are many cybersecurity platforms available on the market but these are still not a 100 per cent solution. The truth is there is really no way to be 100 per cent secure from cyber attacks — this is unrealistic thinking. What is realistic is to get as close to that number as possible.
How can this be done? By educating employees on cybersecurity.
Protect your company’s valuable information using our free Data Theft Prevention Checklist.
5 Things all staff members need to know about cybersecurity
Involving employees in the company’s cybersecurity protocol converts them from being the source of the problem to actually becoming part of the solution. Having staff members who at least know the general cybersecurity best practices takes a load off the company’s IT managers who are on the front lines of cyber defense. Combine this with the best specific cybersecurity practices and what results is more stability for the company overall — a win-win for the company and the staff.
So, read on and find out exactly what your employees must know to make them part of your company’s cybersecurity solution.
1. Password protection
“Never share passwords.”
This has got to be the best advice anyone can give about password protection. It’s more important than learning how to make strong passwords. After all, whatever strength a password possesses is nullified by the fact that everyone already knows it.
That said, even the most well-hidden password becomes useless if even a 5th-grader can guess what it is. This is why it’s best to teach employees best practices for password protection.
First, a password’s strength is based more on complexity rather than length. Have them come up with examples that combine upper and lower case letters, numbers and symbols (if allowed by the account that the password is meant to secure). They can then test the strength of these samples at HowSecureIsMyPassword to see how long it will take to crack. The results should teach them which combinations are stronger and develop new ones accordingly.
Now, I must say that when it comes to remembering strong passwords, the fallibility of the human mind simply makes it unreliable. Our brains just can’t remember several complex passwords without special training.
So how do we solve this predicament? Answer: Use a password manager app.
Requiring employees to use a password manager app means their strong passwords are kept safe and instantly available when needed thanks to their form auto-complete feature. This is especially useful if employees are required to change their passwords every 45-90 days.
Finally, employees should be reminded to never use the same password for more than one account or site.
2. Sensitive data privacy
Staff members should be taught the value of keeping their personal information private since this is what bad actors need to further their criminal activity. Private information can either be sold or used directly such as in:
- Identity fraud to file fraudulent tax returns or apply for loans.
- Creating counterfeit credit or identification cards to pay bills or transfer funds.
- Launching spam or phishing emails.
- Blackmail or extortion.
Data privacy should be strictly implemented especially to employees in managerial or confidential positions. These employees hold vital company information or sufficient credentials to gain access to such information which can be used in a privilege escalation attack.
Employees must remember not to trust random emails, messages and pop-ups. Under no circumstance should personal (and especially company) information be shared to websites or messages that the employees did not initiate themselves.
If practicable, employees should be taught how to set up one of the company’s trusted VPN services or at least how to use a VPN service. They could also be required to use a company-provided private messaging app or email service like Signal and ProtonMail.
3. Network safety awareness
The growing trend of employees working remotely has resulted in an increase in productivity. These employees frequently connect to the Wi-Fi networks in coffee shops, airports, hotels or their own home.
The problem is that these public Wi-Fi networks are often unsecured which jeopardizes anyone who connects to them. Users may not be aware of a hacker using the network to intercept company information. This is called a Man-in-the-Middle (MitM) attack.
Additionally, there is always the looming problem of rogue networks. This means that the network your employees are connecting to may actually be a similarly-named fake network. The person behind this rogue network may log the information and online data from its users.
This is why employees should learn to be aware of the network they are using. They have to ask questions like: Who set up the network? Is the network encrypted? What information is being logged?
If employees are working while travelling, they should be instructed to always use the company VPN. A VPN encrypts the employee’s connection and, therefore, secures it from MitM attacks or rogue networks.
4. Identifying possible threats
Developing an eye for possible threats takes time but the payoff is well worth it. At the most basic level, staff members can be taught to practice caution when they observe suspicious activity.
This can include:
- A random email from an unsolicited source asking for a donation.
- A call from someone claiming to be an employee from an associate branch asking for some information.
- An innocent looking USB thumb drive that they found on company premises.
Being aware of possible threats greatly increases the chance of preventing them.
5. Threat/breach report procedure
Employees should be trained on how to report threats and breaches. They should learn how to properly contact IT management to make their reports.
Do you know how to handle a data breach? Be ready. Download the free cheat sheet: 7 Steps to Address a Data Breach.
Also, they should be taught how to react to a threat or breach once they actually find one. They should never try to assess or deal with a threat or breach by themselves (unless they’re the employees in IT management).
Finally, they should also be required to request permission from IT management before using their own devices, software or applications.
Staff members are the weakest link to a company’s cybersecurity. This is why they should be trained on at least the basics of cybersecurity.
This is just the tip of the iceberg, though. Employees should be provided with specific training and further education to improve their cybersecurity knowledge and awareness.