Reducing Cyber-Attack Risk Through Employee Education

Cybersecurity is one of the greatest risks organizations face in a world dominated by technology and the Internet of Things. Working with vendors to develop cyber protections and policies are important, but cybersecurity is more than infrastructure protection – people are at risk and need to be trained.

Cybersecurity strategies, policies and training can’t be confined to the physical workplace. Cyber threats are everywhere and businesses are at risk even when employees are not in the office. Any device that stores information or is connected to the internet can be a vulnerability, including thumb drives, laptops, printers, phones, tablets, thermostats and vehicles.

Here are a few tips from our cybersecurity experts for increasing employee awareness of cyber threats and ways to reduce risk.

Phishing Attacks

Phishing attacks are fake messages from a seemingly trusted or reputable source designed to convince you to reveal information, give unauthorized access to a system or click on a link. These can come through emails, text messages, phone calls or social media messages.

Employees need to be aware of what these messages can look like – HR and accounting departments can be particularly vulnerable to fake bank emails, customers “changing” their accounts for deposit and emails asking for payroll, tax or HR info from the “CEO” or “CFO.”

For employees accessing office networks on a personal computer or bringing work devices home, understanding these types of fake communications will be critical to preventing hackers from accessing company data and networks.

Antivirus Protection

Do all of your devices have anti-virus software installed? Do your employees have anti-virus software on home computers, phones and tablets? Just as important, are all devices up-to-date and regularly scanned for potential threats?

Passwords

Password updates – they’re one of the most hated prompts. It can be difficult to think of new passwords, and with so many devices and apps requiring them, a real challenge to remember them all. However, strong passwords are extremely important to protecting personal and professional data and devices.

Password or credential stuffing is a cyberattack that tries “stuffing” already comprised usernames and passwords from one site into another site in the hopes that the user uses the same login information across platforms.

Changing passwords often and creating complex passwords reduces the risk of hackers accessing systems. Use different passwords on different systems and accounts – reset your passwords every few months and use a password manager to keep track. When creating a password, use the longest password allowed along with a mix of uppercase and lowercase letters, numbers and symbols.

And don’t forget your WiFi at home and the office – limit who has access and change the password every few months.,

User Access

Do you know who has access to your systems and devices? In addition to employee policies that address off-boarding, organizations must monitor third-party vendors. What happens when they have a turnover in the employee assigned to your account? Have you had contractors accessing the building for projects that are now complete?

Are employees using company devices for remote work? How are they accessing company data and systems from home?

Organizations are responsible for monitoring everyone who has access to company networks, systems and devices. Policies that are frequently reviewed, updated and enforced are critical to protecting data and infrastructure.

Asset Disposal

Does your organization have an asset disposal policy? Outdated and unused devices like PCs, laptops and printers can’t simply be tossed in the dumpster. Devices need to be cleared of data whether they are being destroyed or donated. Customer and employee data must be protected even when a device is no longer in use.

A strong security posture is critical for organizations to protect assets and consumer and employee data. Cybersecurity strategies and investments are necessary, but human asset protection cannot be overlooked. Properly training and educating employees across all levels and departments to understand the threats, risks and impact personally and professionally can drastically improve your organization’s ability to protect its assets and data from cyber-attacks.

Michael Seidelman is Director of Cybersecurity for Think|Stack, a Baltimore-based managed IT services CUSO specializing in cloud and cybersecurity solutions for credit unions and non-profits.