Written By Ruth E. Promislow and Katherine Rusk
Any system is only as strong as its weakest link. If your employees aren’t up to date on their cybersecurity hygiene, then it doesn’t matter how much money you spend on technological defences—there’s a gap in your protection. A trained employee can help keep your organization secure.
Below are ten tips for helping your employees make your system stronger.
Tip 1: Password Protection is Crucial
Strong passwords are the base of a strong system. Employees should be required to change their passwords regularly and, ideally, the passwords should require a combination of letters, numbers and special characters. Further, they should also be reminded not to keep their passwords on a post-it note on their computer monitor! Two factor authentication can also help to enhance security and can be set up on most major online accounts.
Tip 2: Email 101
Your employees should not be permitted to use personal email accounts for work correspondence—no matter how benign the content appears. If work email is not automatically encrypted, employees should be trained on how to do so for any sensitive information.
Of course, not all the encryption in the world is going to help if the email is simply sent to the wrong person—as happened this fall when a lawyer accidentally sent classified information about how PepsiCo was under investigation by the Securities Exchange Commission to the Wall Street Journal. Autocomplete on email addresses should be used only with great caution and double-checking.
Tip 3: Protect Your Mobile Device
Any mobile device that contains corporate information should be password protected. In addition, if your employees’ mobile devices are not encrypted, make sure that any apps containing sensitive corporate information are encrypted. Your IT team needs the ability to conduct a remote wipe of corporate data if an employee’s phone is misplaced or stolen.
Tip 4: Recognize an Attack—and Know What to Do About It
How long does it take your employees to locate the emergency IT number? Every employee should know what to do if they believe there is an incident. Step-by-step instructions should be clearly communicated and easily accessible in an emergency.
Tip 5: Do Not Download Sensitive Content Onto Your Home Computer
Russian agents acquired highly classified NSA materials from a contractor in 2015 because that contractor had downloaded material onto his home computer and a routine scan by his anti-virus software alerted the agents. Make sure your employees know not to download any corporate documents onto their home computers.
Tip 6: Be Careful of Public Wi-Fi
Increasingly, employees and consultants are working remotely. Employees need to understand how to do so safely. Using a publically available internet connection puts you at an immediate risk of data theft. If working remotely, employees should only use secure networks.
In a 2014 hacking campaign called “Dark Hotel”, hackers lured executives staying at luxury hotels through free Wi-Fi connections. These executives downloaded what appeared to be regular software updates, but ended up with a computer infected by malware that made it remotely accessible to the hackers.
Tip 7: Know Your Attachments
Remind employees to take the time to review emails carefully before clicking on a link or an attachment. Verizon’s 2017 Data Breach Investigations report found that two-thirds of all malware was installed via email attachments in 2016.
Tip 8: Be Aware of Social Engineering
Hackers are well aware that employees are often the easiest way to enter into a network. The point of entry often involves phishing scams seeking to obtain information or redirect users to suspicious emails. The resultant malware infection can result in data theft, ransomware, and cybercriminals having remote access to your network.
Another way hackers use social engineering is the business email compromise scam. In this scam, hackers gain access to executive email accounts (or accounts that look very similar to those accounts) and request employees to wire transfer funds directly to the hacker. In May, the FBI issued a report that business email compromise scams have costs more than $5 billion worldwide.
Employees should be reminded about the risks of social engineering so that their guard is up.
Tip 9: Reporting Is Necessary
Make sure your employees know that they should speak up when they think they have received a suspicious email or clicked on a malicious link. A false alarm is better than not knowing about an actual cyberattack.
Tip 10: Don't Forget Physical Security
In your efforts to train employees on cybersecurity hygiene, don’t forget that sensitive information is also stored on physical devices. When employees leave their desks, their computers should be locked or logged out. USBs and other portable media devices should be encrypted and password protected. Just this week, an unencrypted USB key full of security details for Heathrow International Airport was found on the streets of London.
Portable media devices should be scanned for malware before entering your network when received from any third party. USB keys can be used to install malware as was learned by an Arkansas lawyer who discovered that opposing counsel provided him with a USB key (purportedly with relevant documents) which had embedded malware that might have granted remote control of his computer.
When it comes to cybersecurity, there is no one size fits all. Consultation with counsel can highlight particular risks and vulnerabilities that can be addressed with a view to improving your organization’s cybersecurity.
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.