Even if your company does everything right to protect your data, your employees can unwittingly give cyber attackers access to your company’s sensitive information. As a followup to our recent post on human error being a major risk factor to data security, here’s a checklist for training your employees – and execs – about cyber security.
Use strong passwords
Passwords to access company data can often be “guessed” by cyber criminals. In fact, the most common passwords are very simple passwords like “12345” and the word “password” which is often set up as a default password. Don’t keep the default password! For a password to be considered a “strong”, it should contain upper and lower case letters, numbers and symbols, and contain a minimum of 8 characters. It is a good idea to not include any words that are found in a dictionary. Strong passwords are harder to guess, so it is more difficult for hackers and computer programs to find their way in to your company’s systems. A simple way to make a strong password is to use the first letter of each word in a phrase or title of a song, and then substitute characters and numbers for some of the letters (such as substituting the number 3 for the letter E).
Use a different password for each site
Many people like to use the same password for every site they access, from social media to shopping to banking to work, so they don’t need to remember numerous passwords. Hackers know this and, when passwords are breached on one site, they try those passwords on other sites. Employees should never use the same passwords for work that they use for their personal sites.
Change passwords periodically
Many businesses suggest having their employees change their company passwords every 3 or 6 months. If a password is breached, this prevents the breached password from continuing to provide access.
Keep passwords secure
Many business software applications contain an audit log that records (employee) user activity. The login for different employees can provide access to different information, so that employees are only given access to the information they need for their job role. If employees share passwords, the person whose password is being used will be logged in as using the application and accessing the data. Sharing passwords disables the company’s ability to see who is actually accessing the data and prevents the company from protecting data from inappropriate access.
Hover over links before clicking
Cyber criminals use links to direct people to install malware or to collect data. A link may direct users to a fraudulent site (such as a website that looks like the person’s actual bank website) on which they enter their login information and other data, thereby willingly handing it over to the criminals who will then use that information to hack the legitimate site. Or the link might direct users to a site that installs malware on their computer. Employees should verify that links are legitimate before they click on them. Fraudulent sites often contain a domain name that is similar to a legitimate site, but it may contain a misspelling or a file extension that appears to be the domain of the legitimate site. Employees should be trained to place their mouse over the link without clicking, and look at the popup that shows the site to which they will be directed if they click on the link. They should only click on the link if the domain name looks legitimate.
Don’t open suspicious attachments
Malware can be delivered in attachments. If you receive an email from an unknown sender that does not reference the attachment, don’t open the attachment. Even if you receive an email from a friend or colleague, be wary of files that have a .zip or .exe format. They files can contain malware that will make changes to your computer.
Use encrypted email to send sensitive information
Regular email is like a postcard – all of the information written on it is visible for all to see and can be easily read by those who are not the intended recipient. If you are sending sensitive information, send it in an encrypted email. This is more like sending the message in a sealed envelope. The recipient has to “open the envelope”, by decrypting the message, to read the content.
Don’t run your computer with administrator access
If a virus infects a computer that is running in administrator mode, it can spread and make changes on the computer. If that computer is attached to a network, it can make these changes to every computer on the network! While it is necessary to use the computer as an administrator to install software, regular work should not be done in administrator mode.
Physically protect company data stored in your network
When using mobile devices, be wary of someone sitting next to you who can view your screen to read company data and learn your passwords. In the office, lock the screen or log off when walking away from your computer. Keep the door to your server rooms locked. Don’t share your access card and be wary of people “piggybacking” and following you through a locked door. When recycling computers, printers, copy machines, and mobile devices, wipe sensitive data or physically destroy the hard drives.
Protect data on mobile devices with passwords and encryption
Mobile devices are easily left behind or stolen when you’re not looking, exposing company data stored on the device to unauthorized individuals. Setup a security PIN or password on your mobile device. Encrypt the device or, at least, encrypt the files containing sensitive data. Install a find my phone and a remote wipe solution to use if your phone is missing. To protect against mobile malware, only download apps from reputable sites (like Google Play and the Apple App Store). Consider storing company data in the cloud (on secure sites), and accessing it with a password through your web browser rather than storing it on the device. If connecting to secure sites while using open Wi-Fi networks, use a virtual private network (VPN) to protect your data.
Human error is the leading contributor in more than half of business security breaches – higher even than technology failure. Providing education to mitigate the risks caused by human error is essential to protecting your business data. Of course, the foundation of your business security is having a secure technical infrastructure. Big Idea Technology is here to provide that foundation for your business.