On the job, we all share responsibility for the organization’s online safety and security. As the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two. As a collective our organization must establish a culture of security where people think, act, and behave the same way.
This does not happen by chance, but intentionally.
Each and every employee is a critical link. The following guide introduces concepts to help us become force multipliers in combatting cybersecurity attacks at work.
SECURITY FROM THE START. Realize that you are an attractive target to hackers. Never say “It won’t happen to me.” Every choice you make in the recruiting realm has ramifications, so you must start with the intention to practice secure habits at all times. This can be as simple as not connecting to unsecured WiFi, reading and following company IT and cybersecurity polices, keeping a clean desk, and locking your computer screen when you are away.
IT’S NOT ALL TECHNICAL. Cybersecurity isn’t an exclusive issue for the digital realm; it has many non-technical controls that should become a part of your daily routine. Some of those include: protecting the physical security of controlled areas, encrypting your files or folders, being wary of social engineering, being conscientious of what you plug into your computer, and most importantly reporting any anomalous behaviors or insecure computing practices.
CREATE SECURE PASSWORDS AND AUTHENTICATION. Because of the sensitive information stored on our network, strong authentication procedures, including sensible password hygiene, helps ensure that only authorized individuals can access our data. If offered, two-factor authentication is the preferred method, but applying the corporate password policy for the creation and management of passwords aids in keeping our environment secure.
CONTROL ACCESS TO DATA AND SYSTEMS. Our data and systems are our digital crown jewels and must be protected. We must take reasonable steps to keep them secure, not only from the prying eyes of outsiders, but what also from other employees that have no reason to access them. Put controls in place to make sure employees have access only on a need-to-know basis and anyone else is blocked.
STORE SENSITIVE INFORMATION SECURELY. Data breaches could lead to regulatory action and legal liability if sensitive information falls into the wrong hands. Storing this data is a business necessity, and whether it is personally identifiable information or technical designs, we must keep it secure. The easiest way to do this is to keep sensitive information secure throughout its lifecycle. This involves using strong industry tested and accepted cryptography to secure the data during both storage and transmission. The less data you must manage the better, so keep only what you need and securely destroy the rest.
KEEP APPS AND SYSTEMS UPDATED. Outdated software undermines security and securing them isn’t a one-time deal. It’s an ongoing process that requires you to keep your guard up. The company has a vulnerability management program to cover managed applications, but what about that third-party software you installed last week? These applications need to have updates applied as they’re issued, to ensure they don’t open the company up to unnecessary risk. If you develop your own software, have an effective process in place to receive and address any security vulnerabilities reported.
COMPLETE CYBERSECURITY TRAINING TO HONE YOURS SKILLS. The security of our company's computing environment is as vulnerable as our most unaware employee. That means that achieving cybersecurity maturity is something everyone must take seriously. To support this the company has made training available covering security subjects including email safety, physical security, privileged access, and common attack techniques. This includes regular security awareness messages teaching basic lessons about security.
PRACTICE SAFE CLICKING. Always be careful when clicking on attachments or links in email. If it’s unexpected or suspicious for any reason, don’t click on it. Double check the URL of the website the link takes you to: bad actors will often take advantage of spelling mistakes to direct you to a harmful domain. Sensitive browsing, such as banking, shopping, or accessing work email should only be done on a device that belongs to you, on a network that you trust. If you use a friend’s phone, a public computer, or a cafe’s free WiFi, all pose risks that are better avoided.
Vigilant employees making smart decisions will optimize the effectiveness of any technical solution. The company can’t afford to fail at cybersecurity. We don't want to be hacked, customer information to falling into the wrong hands, or nefarious actors locking down our essential data and demanding a ransom. To make sure our networks and data are secure, take the time to get cybersecurity right. It's far cheaper to get consultation and create a plan than to deal with the negative aftermath of a reportable incident.