Cybersecurity in the Workplace: How You Can Make a Difference
Data security is important for every business. It's especially important in cases where the company is holding customer data, or has access to customer environments.
Even the most powerful firewalls and IPS-es (Intrusion Prevention System) often fail to protect an enterprise's network infrastructure from its weakest link: an uneducated employee. Employees clicking on corrupted links or downloading viruses is the number one cause of service disruption in the Industry. This is especially true with today's "bring your own device" (BYOD) culture.
Phishing, in which hackers attempt to steal private information by luring individual users, is a huge problem. Hackers are very skilled and often pose as trusted individuals or sites to trick users into clicking, or providing personal info and passwords. According to a 2015 report by security software firm Trend Micro, 91 percent of cyberattacks start with a "spear-phishing" e-mail targeted at a specific individual within an organization.
Most IT companies have special departments, or individuals, who control user access to the corporate network and provide proper training in security protocols. Users are often obligated to install special software on their work PCs and other platforms to ensure they follow corporate security policies. If a user attempts to install forbidden programs, or fails to have a password on their screensaver, these security programs prohibit them and alert the proper authority.
For every company that strictly educates and pushes its employees to comply with security measures, however, there's another one that does not. Just 39 percent of employees surveyed, industry wide, report receiving security awareness training or advice at their work more than once per year.
When a company fails to provide adequate training on how to protect against common security breaches, it typically falls to the employee to protect their sensitive data. Regardless of what your company does, the following security practices can save you and your employer a lot of headaches, and money.
When not around, always physically lock your PC or other platform.
Leaving your device unattended makes it physically accessible to anybody walking by. It gives them a "green light" to attempt everything from stealing your data with a pen drive or portable HDD, to installing a key logger program, dropping off a virus, or simply corrupting your data and leaving you to clean up the mess. Worse, an unattended workstation could provide access to your employer's corporate network, creating the possibility of doing far greater harm. Always put a password on your desktop. It's worth the bother of a few keystrokes to secure your device and data.
Whenever possible, use a Kensington lock as well — the only thing worse than an unauthorized temporary physical access is someone walking off with your PC.
Never share passwords.
Social engineering and phishing are the most common methods of stealing passwords. Never share your passwords with anybody — colleague or friend. You can never be sure whether they have the knowledge to protect themselves from the abovementioned password-stealing techniques. If you receive an odd-looking e-mail or chat message from a colleague asking for your password, communicate with them directly to clarify the request.
Don't store your passwords in an easily accessible location — like a physical notebook, or a program like Notepad. Store your passwords in a program that will keep them encrypted. There are plenty of these available on the internet, but before downloading one, ask the security officer or an IT colleague/friend for advice.
Encrypt your hard disk drives.
If your PC gets stolen, it's easy for all the data to be extracted and read. Encrypting your HDD with a special software will keep the "bad guys" from reading your data. Make sure to encrypt all your drives, not just the primary one.
Also, always remember your login password, because there's no going back if you forget it and turn the PC off. If you're uncertain about which personal security measures to take, ask the security officer or a more experienced IT colleague for advice on HDD encryption software.
Don't connect to unencrypted wireless access points.
When connecting to a public network, always use your VPN, or Virtual Private Network, to access the corporate network and data.
Some companies regularly leave their networks accessible to the outside world, or have an open wireless network with no encryption. This is a big security issue that can lead to major problems. If for some reason your company has the above mentioned security holes, raise the concern.
Meanwhile protect yourself from "packet sniffing" by always using your VPN. Doing so makes it a lot less likely that a hacker will catch your data and read it in plain text.
Be careful with downloading and installation.
Hackers are some of the most creative people on the internet. It's not a big task for them to create fake websites that look exactly like an official company site. There have been many fake eBay and Amazon sites in the past few years. Always double check that you are on the correct site before entering information.
The same goes for downloading. When installing a well-known program, check twice the domain name of the website you are downloading it from. If it's misspelled, close it immediately and delete any downloaded files.
The best practice here is simply to not download anything at all unless it's required for your job. Some companies have a list of allowed software, and even a web portal or application from which the employees can safely download. If your company uses one of those, it's safest to use only that tool for downloads.
Another place this threat exists is in your mailbox. Mail servers typically check against databases with well-known malicious domains. They also have multiple security and antivirus features to evaluate if an e-mail contains harmful code. But, if the servers or the databases aren't up-to-date, then you're vulnerable.
Again, always check the domain from which you receive e-mails; never download attachments with odd extensions, especially executable files (.exe, .bat, and so forth): and always ask the security officer or a competent IT colleague if you have even the smallest concern.
Keep your antivirus, OS and programs up-to-date.
If your antivirus is not current, you can be exposed to unrecognized security threats, new viruses, Trojans and worms. Remember, operating systems are never perfect — especially with their first releases. Keeping them updated will keep a hacker from taking advantage of obscure holes in the code.
Be careful using external devices.
Pen drives, HDDs, DVD and CD disks should be used with great care. They're a great way to spread a virus that may not be detectable by your antivirus program. Before using an external memory source, always format it first, then upload the data and check with an up-to-date antivirus software.
Ask for help.
Always ask your security officer or system administrator if you need help securing your data or device. If you suspect that your company's IT infrastructure is at risk, say something. It's always easier to prevent a breach than to repair one.
Data breaches are no laughing matter. They regularly cost companies millions of dollars in lost revenue, denial of service attacks and removing viruses. Even more costly is the loss of reputation from a cyberattack. Customers want to trust their data is safe. As an employee you play an important role in your company's cybersecurity.