Cybersecurity Starts With Every Employee
by Regina Balistreri, ADD Systems
10 messages to share with each member of your staff
By now everyone is aware of the importance of cybersecurity. Certainly incidents like the Colonial Pipeline ransomware attack brought it to the forefront, creating a sense of urgency among businesses, and rightly so. But for many, it is difficult to know where to begin. Less than half of small to medium businesses have a cybersecurity plan in place, and the rest are likely having trouble getting started. Creating a full plan can be overwhelming, but there is one thing to start doing right now – training employees. With more than 75% of targeted cybersecurity events beginning with a single employee email, training can have a high impact.
“A company can put a great deal of time and effort into a cybersecurity plan, but it still only takes one employee to cause a breach,” shares Andy Katsigiannis, director of IT and customer support at ADD Systems. According to the Small Business Administration, employee emails are the leading cause of data breaches. Employees are on the front lines and with bad actors using ever-evolving malicious methods, employees need to be trained to be on high alert.
Alex Diaz, manager of IT at Bottini Fuel, puts a great deal of effort into training employees. “I can’t emphasize enough how important it is to educate your whole company,” he says. “I remind employees monthly with an email to be aware of suspicious emails with attachments and links. I also advise them to be aware of who they speak to on the phone. The caller will claim to be an Amazon or Apple employee asking for permission to access their computer. Our employees are aware of this scam and if they are concerned about an email or even a phone call, we get notified about it. Employees are very supportive.”
There are plenty of organized training programs, but the education can start now by reviewing a few important tips. Here are the top 10 messages to share with all employees.
1) Be suspicious of email. It is important for employees to slow down when reading email. A reader should make sure the email looks valid. If something looks wrong, does not make sense, or even has multiple spelling errors, instead of responding to the email or opening a link, create a new email to the sender and ask about the validity. You may find that they did not send it, and that it is a phishing attack. Bad actors have gotten very adept at sending emails from real contacts with convincing content.
Be careful of links and attachments in emails as well. Rather than quickly clicking, hover over the link and read the address. Sometimes a link is actually a disguised download link. If it does not look like a recognizable link, again, email the sender and ask if they sent it. Do the same with attachments. Be especially suspicious of attachments of zip (.zip) files, executable (.exe) files, or files with uncommon extensions. Opening these files can often release malware.
2) Use strong, unique passwords. These days there are passwords for everything. With so much to keep track of, it is tempting to use a simple password. Avoid the temptation. Passwords are there to safeguard business or personal data. It is important to choose complicated, unpredictable passwords so that they are not easy to break. Likewise, stay away from using the same password or a similar password for multiple logins. Easy-to-predict passwords just make it that much easier for a bad actor to get access to more of your infrastructure, faster.
Understand and follow the company password policy. Whether it is to change your password once a month or once every three months, follow the policy to keep data better protected. That policy will likely also indicate that passwords should not be shared. If someone asks for your credentials, steer them to where they can acquire their own. Never give yours away.
3) Lock your computer. Workstations contain or have access to important information. A computer should always be locked when the user walks away. Whether that PC is in the office or remote, it is important to get into the habit of securing your workstation. Not all malware or data breaches come from emails. Sometimes they can come from a person gaining physical access to a computer.
4) Avoid visiting or downloading from unknown websites. Be careful when visiting websites. Some sites may be set up by bad actors intent on stealing information from you. Unless you are sure the site is trustworthy, stay away from it and do not download anything from it.
One way to try to remain safer is to only visit sites with https designations. That means that the information you enter when visiting the site is encrypted and cannot be intercepted by external cybercriminals. You still, however, need to be sure the owner of the site is legitimate. While data cannot be intercepted from outsiders, it will go to the owner of the site, whether or not they are a bad actor. The important message here is to be suspicious of all websites.
5) Be suspicious of phone calls. Not all cyberattacks start on a computer. Sometimes they begin with a phone call and a convincing person on the other end expressing a need for your credentials. Do not give your passwords to anyone. Just like the safe response to a suspicious email, hang up the phone and call the company they purport to be from to verify their story. In addition, do not use a phone number the caller may give you. Look up the number to avoid calling an impostor.
6) Use Multi-Factor Authentication (MFA). While maintaining strong passwords is critical, Multi-Factor Authentication (MFA) is just as important. MFA is a security enhancement that forces a person to show more than one piece of evidence when logging into their account. For example, when logging into CRM software, a username and password must be entered, but with the addition of MFA, the login prompts a notification of the login attempt on the user’s cell phone or other device and requires the user’s approval. This stops a cybercriminal from using stolen credentials, since the actual user would be notified on another device and would not approve the access. This is a very effective second layer of defense, and, in fact, this simple use of MFA could have halted the Colonial Pipeline breach.
7) Use a secure VPN connection when accessing data while away from the office. When away from the office, protect your data by using a secure Virtual Private Network (VPN). This ensures that data is encrypted and not readily available to bad actors. Many businesses already install VPNs on remote employees’ computers, but they are also readily available through many reputable security software vendors, like Norton.
8) Don’t use public Wi-Fi. Public Wi-Fi seems to be available everywhere lately, but it is unsecured and data can easily be intercepted. If you need to work remotely in a public setting, consider using a private cell phone hot spot. This will ensure your data is protected.
9) Keep all software up to date and enable firewall protection/antivirus software. One of the simplest steps to maintain security is to keep all your software up to date. Most updates include software to patch newly uncovered security risks, so it’s important to stay current to avoid leaving known risks vulnerable.
It is also important to install and upgrade firewall and antivirus software. As the names state, the main goals of these types of software is to keep your data safe from cyberattack. Your company may already have these in place, but they are also readily available from reputable security software specialists like McAfee.
10) Don’t forget about backups. Everyone knows that backups are important, and the vast majority of businesses have a backup procedure in use. But it is also important that individual employees back up their computers. Should a malware incident happen, it is likely that the infected PC will be formatted, so a fresh backup will get that employee up and running quickly. In addition, remember to periodically test the backups. It is no fun to be in an emergency and discover a faulty, unusable backup. Also, keep the backup separate from the PC on a removable drive or perhaps on an encrypted cloud service. Malware looks for backups to infect, so separation and encryption are very important.
Employee education is a great start to a cybersecurity plan and an essential, ongoing effort. Even if you are having trouble expeditiously pulling together a full plan, get started communicating these 10 things to your team. You will be helping address vulnerabilities and getting a jumpstart on securing your business.
Regina Balistreri is Director of Marketing at energy software company ADD Systems. She can be reached at 973-584-4026 x1317 or email@example.com.