The announcement of yet another cyberattack has nearly become a daily occurrence. Clearly, the need to be proactive in protecting your organization has never been greater. You have undoubtedly done all you can to protect your organization’s data from attack but with so many employees working remotely and then connecting their devices to the network, it’s a great time to be reminded that many employees are still making simple mistakes that expose your network to cyberattacks. Social engineering, after all, is one of the most vulnerable parts of your security posture. Here are a few of the most common mistakes your employees are still making and some tips on how to change their habits.
- Forgetting to install updates right away
Remind your employees to update their applications and operating system with the latest security as soon as they receive them. They should know that these updates are not just limited to adding new features, but that they come with security patches for vulnerabilities. Their Microsoft Office, if they are allowed to use their own for company business, should be updated often.
- Using third party computers for corporate business.
First, they should know not to use any computer that isn’t theirs to conduct any company business, especially at hotel business centers. As part of this education, they should know about keylogger software which captures all the data entered by them using the physical keyboard. It is very possible that third party computers might have these keyloggers installed and might steal data like passwords you enter using the keyboard.
- Using one static password
Using different user password combinations for different accounts can be a daunting chore for anyone to remember…and you don’t want people writing them down to help them remember. Using phrases as passwords can be much easier to remember. Sentences such as MyDogHasFleas! are very hard to crack. They can also create their own formats. For example: yourname(xx)@websitename, where xx is any 2 digits random number.
- Not understanding all those security names
You should provide them with a guide to nomenclature so they understand “phishing”, “spear phishing”, “ransomware”, and other names for malware. Understanding these words, which they may have seen in print but aren’t clear on, will help prevent some of the social engineering they could fall prey to. At a minimum, being aware of these pitfalls should make them more vigilant.
- Trusting E-mails
If your employees remember anything, this is the most important. It’s something worth reminding them of often, and especially during a known attack. Make sure that HR provides this information to new employees. They should know never to download a photo or click on a link from an unknown source and check to make sure that emails from someone they know makes sense before clicking on it. Often misspellings and emails with no body copy are indications of malware.
Make sure they know that if anything looks suspicious they should forward it to IT. If you are using software like Attivo Networks that offers an easy way to forward phishing emails, they shouldn’t hesitate to use it.
These are just a few of the many tips that can be found through simple searches. Since new suggestions come out all the time, they can be valuable in your training programs and cyber security awareness campaigns. We will continue to provide you with information but in the interim, here are links to some of the better suggestions: