Yep, sorry, folks… this is a real problem. In fact, it’s a HUGE problem. Your company’s vulnerability, in large part, comes from your employees' cybersecurity awareness. And with a little know-how and finesse from the bad guy, here’s a few ways this happens AND a few ways your employees can be active participants in stopping them.
Carelessly opening email
Employees often spend the day checking their email — and hackers know it. This makes email a prime entry point for cybercriminals. Employees MUST approach their email with care so they can identify signs of an attack and mitigate the risk.
Common signs of an attack include fake/forged email addresses (firstname.lastname@example.org), unprofessional subject lines, bad grammar/typos, and creating a sense of urgency to respond with personal information.
Employees should be able to identify a potential threat and report to IT. They shouldn’t click on links (including unsubscribe), submit information, open attachments, or respond to such an email.
Giving password over the phone/leaking passwords
How would your employees respond to this call? “Hi, this is Sam, from IT. We noticed your certificate is about to expire, so I need your password to reset.”
Well, hopefully, they’d know that IT would never ask you for a password, or other sensitive information like a social security number, address, or common password reset questions/answers.
Another big one is writing passwords on a notepad, or taping it to the computer. Instead, secure your passwords with a single sign-on (SSO) service or two-factor authentication.
Losing a mobile phone
It’s easy to lose a device with sensitive information. it’s actually not a matter of if, it’s a matter of when.
So, the question then is, how do we mitigate the loss of information? The two most important steps for you to take are 1) requiring that phones automatically lock and require a password to access and 2) making sure you have the ability to remotely wipe a device.
The employee plays an important role here, too. Should this happen, they need to be aware of the risks involved, and report immediately, even late on a Friday night. This allows your IT team to quickly wipe the device and prevent information loss.
Pro tip: Make sure employees know who to contact (direct manager, IT, etc) and let them know they will never be punished for losing a device and reporting it immediately. They could, however, be at risk if they try to hide it.
Employees (and well, everyone) typically use the same password for their social sites, bank login, and work password.
Is that bad? Yes!
If one is compromised, then the list of password possibilities for everything in your life significantly dwindles.
You should have a company policy that requires employees to use an unrelated password for all company logins and enforce that these passwords are updated regularly.
Proper disposal of information is often overlooked.
Let’s say an employee is cleaning their desk, and the primary culprit appears to be the large stack of papers, mail, envelopes, sticky notes, and other junk that’s piled up since the last time they cleaned. Well, they haven’t needed anything in the stack for 6 months, so it’s safe to say they won’t need it in the next 6, right? Everything is pushed in the trash.
But wait — what all was in that stack? Maybe a flash drive? Maybe a flash drive with sensitive customer data, confidential company information, passwords…?
Work with your IT team to develop an information disposal policy. This should include wiping all read/writable media like hard drives and flash drives. CDs and DVDs should be shredded. Papers should be shredded or placed in a special bin in which your IT team can properly dispose of them.