Cyber-crime incidents are rising exponentially. Cyber-criminals are targeting not just large companies and government institutions, but also small and medium businesses, which have become a sort of their favorite target. The 2019 Official Annual Cybercrime Report estimates the potential impact of cyberattacks topping $6 trillion by 2021. Even those organizations that implement sophisticated threat detection systems can’t feel safe, as most threats stem from workplace behavior. The key to reducing such cyber-crime vulnerabilities is to train and educate employees on the correct method of handling information security and systems at workplace. The following are top-5 cybersecurity tips to be followed at workplace:
1. No Shortcuts with Passwords
The password of a single employee can compromise not only the organizational data, but also that of the organization’s clients, partners and suppliers. Avoid using the same password for several accounts, and always use a unique combination of upper and lower case letters, numbers and special characters. Though there may be a rule to use a minimum of eight characters, it is always better to keep your password longer or double the minimum number of characters so that it becomes extremely difficult for hackers to crack the password. Avoid passwords specific to your name, pet’s name, birthdays of your spouse or children, vehicle numbers or mobile numbers, or things that you may post on social media platforms, as they are most vulnerable. One good alternative is to use password managers while generating passwords as they can use unique complex passwords for each account or service. It is a good idea to set expiry dates to passwords to prevent unused accounts or unauthorized users or ghost users from compromising on security. According to the 2019 Data Risk Report, about 61% organizations made use of more than 500 user accounts whose passwords never expired. Generating password, frequently updating it and constantly maintaining it is a strenuous but essential exercise that should be practiced personally as well as organizationally.
2. Be Vigilant about Phishing
Sometimes, the Internet is as malevolent as it is benevolent. Never click links from an unknown or unauthorized senderbefore carefully scrutinizing the weblink. The sender may pose as a representative of your organization or some reputed organization and use a weblink and logos similar to a popular website, and send email via disguised email accounts (“phishing”), but you have to be careful and pay utmost attention to detail.
The hackers are getting creative, typically malicious material carries one or more of the following characteristics:
- The message is sent from a personal emails, like @gmail.com, @yahoo.com. Almost no legitimate organization would like to communicate with domain name that’s not uniquely theirs.
- Typos in the domain name that are hard to detect at a quick glance
- Shabbily written email body and/or use of images that are not crisp
- Messages with a sense of urgency to act
Same thing goes for downloads, too. Before you download anything from a website, verify its authenticity by checking the integrity of the file you wish to download. Most people credulously believe that software downloads are innocuous as long as the software, per se, is from a trusted source. But, such downloads can pose innumerable security risks. The source from where you download the software or application is as significant as what you download. The internet is replete with free versions of several recognizable paid software. However, such downloads can include trojans, spyware, worms, viruses and other kinds of malware.
3. Opt-in for Multi-Point Authentication (MPA)
MPA integrates two or more independent authorization: what the user knows (a password), what the user possesses (a security token), and what the user is (a biometric verification such as a fingerprint). Everyone has a mobile phone these days; it’s so easy and convenient to opt-in for 2-factor authentication. The more the barriers, the harder it will be for hackers to penetrate the defense of your systems and infrastructure.
We use so many devices and softwares, each of them come up with several updates (patches) every year. There are zero-day vulnerabilities lurking in most softwares we use, and as they get uncovered, patches are released to fix them. Given the number of devices and systems we use these days, installing patches for all of them can be time-consuming. Most view this as unnecessary or relegate it to low priority, particularly in organizations where patch management is not enforced from central IT Team. But, it’s a vital task to keep your systems safe. Remember that software and application updates are often rolled out to eliminate harmful vulnerabilities from your systems.
5. Have a Cybersecurity Training Plan
Among myriad factors that lead to data breaches, most are caused by human error, especially by employees who unintentionally respond to malicious emails or become a prey to other types of malware attacks. While manpower is an organization’s biggest asset, it can also become its biggest security vulnerability. To reduce this vulnerability, many organizations are learning to have mandatory cybersecurity training programs for their employees. The training plan must be regularly updated to keep pace with the fast-changing technology landscape. There are cybersecurity services firms having years of experience in designing/delivering awareness programs and cybersecurity bootcamps for organizations. Cybersecurity emergency simulation exercises are also fast becoming a part of the cybersecurity training plans. Such simulated exercises should be customized to specific job functions and focus on possible attacks that could enlighten employees on specific takeaways and areas of improvement.
West Advanced Technologies Inc. (WATI), an ISO 27001 company, offers Cybersecurity services including VA/PT, Managed Services, Risk & Compliance Services, Advisory Services, and Training.
SaaS and technology vendors are a focus group for WATI’s cybersecurity audits. WATI’s Cybersecurity team comprise of experts certified in one or more of CISSP, CISA, CISM, GWAPT, CHFI, CEH, CPTE, CWNA, CompTIA Security+.
WATI’s offerings for Technology Companies and SaaS Vendors:
- Vulnerability Assessment & Penetration testing of web, mobile, SaaS, cloud, IoT products
- Vulnerability Assessment & Penetration testing of computing, wireless and network infrastructure
- Bootcamps and workshops to training developers in secure coding practices
- Security Controls Gap Assessments, Pre-certification audits for certification, and post-certification compliance support
- Managed services, including Patch Management and Incident Response.