This post was originally published on October 12, 2016, and updated most recently on January 29, 2021.
October is National Cyber Security Awareness Month (NCSAM), and there’s no better time to discuss the importance of cybersecurity for your team.
That’s right; cybersecurity isn’t just for your IT manager or company executives to worry about — cybersecurity is a team sport.
Hardly a day goes by that we don’t see another high-profile security breach breaking in the news. And the truth is that most of the time, we can avoid these breaches with some basic anti-hacking protocols in place, along with a little employee education on web safety best practices.
From LinkedIn and Dropbox to Yahoo and Ashley Madison, no company is too big to fall for a well-timed hack. How can your team protect themselves? Follow these tips, and you’ll reduce your risk significantly.
Don’t use the same password for everything
Over the years, you’ve probably made dozens of accounts. Some you still use, many you’re no longer active on. If you’ve been using the same password for every account since high school, it’s probably time to mix things up. The second you get hacked on any one of these accounts, all a hacker has to do is use the same credentials to log in to a few popular websites to see if you have an account, giving them access to your email, social media, banking information, and more.
I know; who can memorize 50 different passwords of jumbled letters, numbers, and characters? No one. Except maybe this guy. But luckily, you don’t need to.
Password management services like LastPass or Dashlane will not only keep track of all of your passwords but also generate highly-secure passwords each time you set up a new account online. This means you only really have to remember one password: The one to get into your password management service.
Create strong passwords, and change them regularly
According to data compiled by Bloomberg, it only takes 10 minutes for a hacker to crack a six-character password that’s all lowercase letters. Add uppercase letters and some symbols, and you’ve extended that time to 18 days. Extend your password to 9 characters, and it would take over a lifetime for a hacker’s computer to guess the right answer.
Remember, all it takes is that one guy who still uses “password1234” to ruin things for everyone. Don’t be that guy.
Start with strong passwords, and change them every few months. A strong password should:
- consist of at least nine characters
- contain a combination of letters, numbers, and symbols
- combine uppercase and lowercase letters
- not match any previous passwords.
Use authentication systems
Nowadays, we need to go beyond just usernames and passwords when logging into our accounts online. According to data compiled by the White House, as many as 62% of successful data breaches could have been prevented by using authentication systems such as biometrics or dual-factor authentication.
For every account that allows it, make sure to set up dual-factor authentication. Also, add a backup email and phone number, so if a hack does occur, you can regain access to your account as quickly as possible.
Keep all software up to date
Any device connected to the Internet is inherently vulnerable. Update your operating system and computer software as soon as new updates are released. This will ensure that you have the best protection available against any discovered weaknesses the company operating the product/service may have found.
Be smart about email
It seems like people should know how to use email safely by now, but many of us still fall for some pretty basic tricks.
First, don’t click on any links or attachments unless you recognize the sender. Even then, don’t click links directly in your email. Instead, copy/paste the URL into your browser. This will prevent any involuntarily redirects to unsafe websites.
Hackers usually start out with common techniques such as phishing/spear-phishing, targeting employees, partners, contractors, or even customers in an effort to gain access to the system. If you see an email or text from an otherwise trusted source (like Apple or Google) asking for your username or password, take this as a red flag, and don’t oblige. And if you’re ever unsure about an email, contact the real company directly. The extra effort could save you and your place of employment a lot of time and money.
Always encrypt data, including on-premise, in the cloud, and via email
Using encryption can help to prevent some of the most common types of security breaches. Encryption provides an extra layer of protection that makes it unreadable to anyone without the encryption key.
Create strict access policies
Employees should only have access to the systems and data they need when they need them. Protocols should be put in place to grant and revoke access in a timely manner. It’s far too easy for employees to compromise data accidentally. Cached copies of sensitive information get saved to their personal workstations, important files get moved or deleted, and people end up emailing something they shouldn’t have. Plus, the fewer people that have access, the easier it is to pinpoint a breach.
Your system admin should create and enforces a strict access policy and make folders inaccessible by default until the employee requests and is approved permission. While this may not be the most convenient solution for your employees, it’s worth the hassle to avoid an enterprise data security breach.
Avoid public computers and wi-fi
Hotels, airports, libraries, etc., offer public computers for people to use on the go, and coffee shops, bars, and restaurants are increasingly offering wi-fi to patrons. Unfortunately, when you sign into a public computer or wi-fi network, you have no way to know how strictly someone monitors them or what users before you may have done to compromise the system.
Hold off on checking your work email until you get to a protected device and network. And especially avoid open wi-fi, where your data undergoes no encryption whatsoever before sending. Your username/password can easily be “sniffed” by anyone else using the same access point.
Keep track of all on-premise visitors
Another common hacking method is social engineering, in which hackers dress up like maintenance persons, guests, or visitors, slip past your front desk, and plug a thumb drive into an empty workstation.
Make sure you establish protocols for allowing visitors, clients, interviewees, and maintenance crews in and out of your building. Make sure each guest is checked in, verified, and kept in a designated reception area with a receptionist or office manager watching nearby until they are met by the appropriate employee.
Pay attention to breaches in the news
When you hear that there’s been a security breach of LinkedIn or Dropbox and you know you own an account with them, be sure to log in and change your password immediately. Notify your IT administrator if you’ve been accessing the account on your company computer to ensure they are aware of any potential threat to security.
Cybersecurity during COVID-19
The confusion of information and added stress of figuring out how to work from home may leave many extra vulnerable to security breaches. Stay on high alert if anyone should contact you about needing passwords, banking information, social security number, credit card number, or anything else unsolicited. They are undoubtedly a scam. The government will not contact you directly about stimulus check deposit nor about setting up an appointment for a vaccination. Many, especially the elderly, have fallen victim to scams like this taking advantage of people when confusion is in the air. Now, more than ever, it’s necessary to stay diligent about protecting your personal information.
Once a hack occurs, there’s no telling how much damage it will do. The best tactic when dealing with the potential of cyber threats is a good defense. Put safety plans in place, update them regularly, and keep your employees educated about web best practices. It takes a village to keep your company’s data secure.