Employees are at the heart of our businesses. Without them, we do not have a company. A well run organization is like a happy family. It is even more productive when staff are content, with studies showing a 12% increase in productivity when workers are happy in their role. But cybersecurity issues can eat away at that heart. The IBM 2018 Threat Intelligence Report, found that web-attacks had increased by 424 percent because of human error. Human beings are fallible. We make mistakes. But good practice in security can help to prevent those errors from becoming an incident.
In this article, we will look at 5 ways that you can help to reduce your likelihood of a cyber-breach, whilst at the same time, engaging in best practices with your employees. Having a healthy approach to cybersecurity at work will create a happier environment to work in too.
1. Clean desk policy
Once upon a time, the idea of a clean desk policy was more about keeping the office looking clean and professional than mitigating cyber-threats. However, a study from LastPass has shown that the average business user has 191 passwords to remember. And, what do humans do when they have too much to remember? They tend to write things down. Having a “clean desk’ can help to prevent the very simplest of cyber-threats – a stolen password. Of course, it isn’t just about carelessly discarded Post-It notes. Keeping a tidy workplace also means that:
- Sensitive information isn’t left out for all to see
- Laptops and other devices are locked when not in use
- Devices and other workstations are locked at the end of the day
- Removable media are not left lying around
- Whiteboards and other displays do not have sensitive information left on them after use
A clean desk policy is just that – a policy. It is a template for behavior that also helps to prevent insider threats. As a policy, it needs to be incorporated into an overall security strategy document. It also has to be accepted and acted upon by the workforce, so should be done in collaboration with them (as much as possible).
Having a clean desk policy will also help you tick some compliance boxes too. Regulations such as GDPR require efforts to ensure data integrity and confidentiality. Others, like ISO 27001, have a specific “clear desk and clear screen policy” requirement, under control 11.2.9.
2. Be security aware
Our desks are virtual as well as real. Phishing and other forms of email compromise are still a favorite tool of the cybercriminal. And, cybercriminals are always modifying their actions to keep ahead of the game – the scams getting bigger and bolder year on year. In a 2017 phishing scam, almost 1 billion Gmail users were targeted. Phishing hits businesses across the board. A “State of the Phish” report found that in 2017, 76 percent of companies experienced a phishing attack. Phishing feeds off natural human behavior. The scams play on an urgency to “click here” or FOMO or natural curiosity or need to please. One way to play a phisher at their own game is to understand how they play the game. Security awareness training is used to educate and train the entire workforce about security and how to spot a cybersecurity threat before it becomes an incident. Programs of awareness training often use simulated phishing exercises to train staff to spot a phishing email. The training works to modify negative behavior so that your workforce becomes your first line of defense against cyber-attacks.
3. Remote workers
A survey by IWG found that 70 percent of people now work from home at least one day a week. Remote workers add new endpoints, opening up your company to security risks. These risks are in a number of areas and include widespread use of unprotected Wifi connections in the home and public spaces. In a study into this behavior by T-Systems, they found that 31 percent of employees use unprotected Wifi connections when working and 24 percent of them will share work documents over an unprotected network. A secure office needs to extend to remote offices and public workspaces.
4. Respect those passwords and use 2FA
Passwords are the bane of everyone’s life but they are currently a necessary evil. Password fatigue, as well as causing frustration, is also an area of weakness in the office. Complex password policies result in people writing passwords down on pieces of paper or in notebooks. This is backed up by Pew Research who found that 49% of users’ write passwords down. If you can avoid the use of complex password policies in your application, do so. This is also backed by security advice from NIST in the U.S. and NCSC in the UK. The general advice from both these entities is to use a passphrase made up from three or four random, but memorable, words.
The use of a second factor (2FA) as well as a password, is also good security practice for a safe office. If your applications and other resources support a second factor credential to log in, use it. Second factors are typically an SMS text code or mobile app code (e.g. Google Authenticator); but they can also be a biometric, three letters from a passphrase or a specialist hardware token.
5. Be share aware
People often like to share. In the office, we might share what we watched on TV last night or some gossip about John in accounts. We also, it seems, like to share passwords and even sensitive information. A LastPass study found that 61% of people are more likely to share a work password than a personal one. And, it isn’t just passwords being shared around. In a report by Dell, they found that 72% of employees felt comfortable sharing confidential and sensitive company data. Dell did note, however, that this was not a malicious insider threat. Instead, this was thought of by the individual as “doing their job”. The issue arises because the sharing is not being done in a secure and auditable manner. To run a safe office environment, you need to know what your data is and what happens to it. Security policies should always take data flow into account; know what your assets are and how to put in place a strategy to facilitate secure sharing.
The Safe Office Policy
Most of the tips above can be realized by simple awareness of a situation. Making your office cyber secure is about being aware of what the threats to that security are. It is then a case of understanding how to create and implement processes and procedures to ensure safe working practices. By co-opting your staff into these procedures you can show them why it is important to be aware of cyber-threats. You can also give them the means to defend, not only their workspace in the office but at home too.