If you asked most workers, who is responsible for cybersecurity, they’d point you towards the IT department. While they would be partly right, the truth isn’t quite so simple. Although IT departments act as round-the-clock cyberdefenders on our behalf, they could use a little help.
Cybercriminals are smart enough to target what they see as the weakest link: people. No matter how skilled the IT team are at bolting the virtual doors, it only takes one cleverly targeted phishing email or one ill-judged click to create a window of opportunity through which the criminals will gleefully enter. But, from sales reps to CEOs and from accounts clerks to, yes, IT security specialists, we must all see ourselves as targets – and we can all take these steps to create a culture of security in which cybercriminals cannot flourish:
1. Passwords: steer clear of the obvious. That means no pet names, no sports teams and no dictionary words. For more of the worst, Splash Data releases an annual worst password list. Hint: 123456 and qwerty will be guessed in seconds. Using a pass-phrase is better – and don’t use the same pass-phrase for multiple systems, write it down, or reuse it. Even better, use a password management tool, and wherever available, use two-factor authentication or another form of strong authentication. These steps will greatly reduce the chances of a system being compromised.
2. Never give your credentials, such as login ID and password, to anyone. Your bank, accountant and IT team will never ask you for such details. Hackers could target you in multiple ways including phone and email – and they can seem very convincing. One common scam is to call individuals and claim there is a problem with their computer that needs to be fixed. You will never be legitimately asked for your password.
3. Guard your personal information carefully. As with your password, authentic contacts won’t call or email and ask you for your date of birth, tax file number or mother’s maiden name. If in doubt, look up a verified contact in the organisation and call them directly, so you know exactly who you are dealing with.
4. Address hard-copy hazards. Be mindful of where you leave documents, use a printer close to your desk, and when you leave the room, take your files with you and log out or lock your device. It doesn’t take many discarded documents or sneak peeks to steal someone’s identity, so consider using a shredder for any confidential information, at home and at work.
5. Don’t share everything. It is amazing how quickly information can be gathered on social media, and how harmful it can be in the wrong hands. Those games to work out your Harry Potter name or which celebrity you most resemble may seem innocent – but they are often based on your birthday and on information that can be used as security questions, such as your first pet’s name. Combining the data with your 40th birthday happy snaps or even the electoral roll can start to build quite a picture. Think twice before posting, and restrict who can see your accounts. If you have children, educate them to do the same.
6. If something seems strange… it probably is. We are all bombarded by emails, and so it is easy to become distracted, but try to take time to evaluate what you are reading. Check the domain name in the sender address. Look for grammatical errors, the way language is used, the quality of logo images, and the way the phone number is written. Never click unless you are sure, and discuss anything you aren’t sure about with your manager or your IT team. Remember, if an email seems too good to be true… it probably is. The converse is also true – if the ATO calls and says there is a warrant for your arrest, it is, hopefully, a scam. The AFP has a handy guide to some of the common forms of online scams – but these change daily, so check with IT if you aren’t sure.
7. Practice safe clicking. We can help with software that greatly reduces your risk, but good practice is still a vital element of safety online. Double check the URL before you click, and be wary of clickbait – use your common sense: there really isn’t a safe way to lose 50 kg in 10 days that doctors don’t want you to know, and you can’t look a decade younger with one simple cream. Don’t go there.
8. Back it up – regularly. It is easy to become complacent because we know that our IT team is doing a sterling job of backing up corporate information… but what about unstructured data? The photos on your phone, the work you took home and completed on your laptop, the inspiration that you captured on your iPad during your commute – you probably have a lot more valuable content in your hands than you realise. Fortunately, the wealth of cloud options makes backup simple and easy – seek backup recommendations from your IT department, and make sure you check often that your backup is still working to plan.
9. Verify orders. We’ve seen occasions where an organisation receives an order from a new contact within an existing customer, only to find that the person did not have authority – or even does not exist. A quick call is worthwhile, especially if the order is large or it deviates from typical buying patterns. Any legitimate contact will appreciate that you are security conscious.
10. Tell someone. If you think you may have clicked an unsafe link or if you’re just not sure, the sooner you contact IT, the better. We can guarantee you won’t be the first, and there is no shame in checking. Sure, the IT team is busy – but they would far rather stop a problem early than wait for it to become a crisis.
For many organisations, a physical security culture is already a part of everyday life, and these tips will help to make an IT security culture to match. Sharing IT security information with your team, making it a part of regular training and induction process, will help to keep everyone’s valuable information safe.
Time to make online security a part of your workplace culture? Follow me on LinkedIn for more tips, or call me for a chat, I’m always happy to help.