When developing cybersecurity programs, many businesses focus on protecting their infrastructure perimeters and device endpoints. But it’s also important to consider what happens when a threat bypasses perimeter defenses and targets an employee in the form of a malicious email, text, or even a voicemail that might prompt an employee to respond with confidential company information. In this article, we explore the need for employees to practice strict and secure cybersecurity habits — not only to thwart digital attacks, but also to prevent someone from simply walking by their desks (in the office or at home) and picking up devices or documents that contain sensitive information.
We also present the key steps small and midsize business (SMB) leaders can take to educate their employees to help secure their companies’ data and intellectual property.
Keep a Clean Desk
Employees who keep cluttered desks tend to leave USB drives and smartphones out in the open. They also often forget to physically secure their desktops and laptops so someone can’t simply walk off with them.
Encouraging employees to maintain neat desks pays off in two ways: Digital and paper assets are more secure, and employees with clean desks are more apt to be productive because they can quickly — and safely — access the tools and resources they need to do their jobs.
Social engineering is non-technical, malicious activity that exploits human interactions to obtain information about internal processes, configuration and technical security policies in order to gain access to secure devices and networks.
Such attacks are carried out when cybercriminals pose as credible, trusted authorities to convince their targets to grant access to sensitive data and high-security locations or networks.
An example of social engineering is a phone call or email where an employee receives a message that their computer is sending bad
traffic to the internet. To fix this issue, end us- ers are asked to call or email a tech-support hotline and prompted to give information that
could very likely give the cybercriminal access to the company’s network.
Phishing Email Compromises
One of the most common forms of social engineering is email phishing — an attempt to acquire sensitive information such as usernames, passwords and credit card data by masquerading as a trustworthy entity. Phishing is likely the no. 1 primary email threat employees need to focus on. Such emails often spoof the company CEO, a customer or a business partner so that the victim thinks they are responding to a legitimate request. The FBI says CEO (or C-level) fraud has increased 270% in the past two years, with more than 12,000 reported incidents totaling more than $2 billion dollars in corporate losses.
Low Security Account Credentials
Although it should be common sense, employees need to avoid the use of passwords that are easy for hackers to guess. Among the top worst passwords are those that use a series of numbers in numerical order, such as <123456>. The names of popular sports, such as <foot-
ball> and <baseball>, are also on the list, as are quirky passwords, such as <qwerty> and even the word <password> itself.
Mobile Threats Jeopardizing Company Data
Mobile security is increasingly becoming a big concern as more and more companies adopt bring your own device (BYOD) environments, which allow end users to connect to corporate networks through their own (often multiple) devices. Even in cases where a business does not offer BYOD, end users often find a way to log on to business networks on their own. Busi- nesses must now protect endpoint devices that are not completely under their control.
Top Browser Threats
When end users venture out onto the internet, it’s easy to get tangled up in the vast web of threats lurking on many website pages. Some of them are readily apparent, but others are well hidden.
Malvertising — a form of malicious code that distributes malware through online advertising — can be hidden within an ad, embedded on a website page, or bundled with software downloads. This type of threat can be displayed on any website, even those considered the most trustworthy.
To read the full version of this article go to info.thriveon.net/cybersecurity-guidelines.