Most of the time, it begins with the click of a button. Or one wrong download. Or one malicious email opened. In the world of cybercrime, hackers prey on the most vulnerable. When Target was hacked, for instance, the attack began with criminals targeting a third-party vendor associated with the retail giant. The vendor was easier to attack and provided a convenient window into Target’s network. From there, 110 million consumers were hacked.
In cyberspace, the weakest targets are the first ones to get attacked. It’s not going to be your business’s IT head whose computer is hacked – it’ll be an employee on the ground floor. Hence, the popularity of the phishing email among hackers – those malware-laden messages that will be recognized by experts but which appear harmless to the untrained eye. These days, most eyes in a business are untrained when it comes to even basic cybersecurity practices. This isn’t the fault of employees – instead, the accountability lies with organizations that don’t suitably train their staffers in the best cybersecurity practices for everyday business computing. To help solve this issue, we’ve put together a list of cybersecurity basics that every business employee should be taught to practice:
Avoid any email that asks for username/password information: If your bank – or what appears to be your bank – sends you an email stating that your old password has expired and that you have to email it in to get a new one, you can know right off the bat that that’s a phishing scheme. As CBS News reports, phishing intrusions “aim to fool users into giving up sensitive information by impersonating sites or people they trust.” No legitimate service or website out there will be asking users to transmit sensitive account-related data over email.
As a business, it’s important to train your employees to recognize that messages such as these are inherently problematic. If an employee opens such a message on his or her personal email while on the company network, then there’s the potential for malware to be unleashed across the whole business system. Therefore, it’s important for companies to make clear that staffers should only enter sensitive data on sites that have been administratively vetted, or after consulting with IT.
Ensure that work and personal email accounts don’t intersect: In a piece for The Washington Post entitled “Protect your assets by practicing common-sense cybersecurity,” columnist Barry Ritholtz explains that one of the key elements of maintaining workplace email security is by having an email address that’s solely devoted to business – with no wiggle room.
“This is your main address — for colleagues, clients and peers,” Ritholtz states. “Never share this e-mail address. Don’t subscribe to anything using this address — no Internet mailing lists, no subscriptions … Use this address alone for your finance- and business-related e-mails.”
As business administrators, it’s your duty to ensure that your employees are using their company email account for work-related functions only. This needs to be made clear in staff meetings and any communications with workers. It’s the responsibility of organizational leaders to teach staffers that a company email account doesn’t function in the same way a personal account does. Here are some distinguishing factors for a business email account:
- It should not be linked to any email subscription lists. These lists pose an intrinsic threat as far as phishing emails are concerned, and in a corporate network limiting such vulnerabilities is a priority.
- It should be protected with more than just a password. A business email account is one way to gain access to a company network. If all that’s keeping a cybercriminal out is a username and password, that’s a problem. Enterprises need to equip their employees’ email accounts with additional identity-verifying measures like multifactor authentication in order to keep the bad guys out.
Have open discussions about cybersecurity around the office: The biggest step to getting people proactive about an issue or idea is to promote awareness about it. Therefore, one of the best cybersecurity practices for staffers and administrators alike is to talk about it — a lot. Cybersecurity isn’t the kind of thing that can be addressed at one annual board meeting and then shelved until the following year. Because hackers are always evolving, so too must cybersecurity conversations. And that means they have to happen on a regular basis.
For most organizations, this doesn’t have to mean more than setting aside five to 10 minutes at the company-wide meeting to discuss, say, new and emerging threats, or perhaps some safe computing tips from the IT team. By turning cybersecurity into something that has its place at the enterprise conversational table, companies have a better shot at ensuring that their employees leverage best cybersecurity practices in everyday office computing.
These practices represent just a few of the many things a business must do to preempt an intrusion. In addition to proper personnel training, every enterprise out there must have the tools and resources in place to secure the company network and the identities of those who have access to it. That’s where indispensable assets like encrypted email and two-factor authentication come into play.