Cybersecurity CEO: Top Five Secrets From People Who Haven’t Been Hacked (Yet)
February 20, 2020
The best cybersecurity practices for your employees.
Los Angeles, Calif. – Feb. 20, 2020
“The world is hacked, and it’s users’ fault.” That was the headline for an Infoworld article a decade ago. Surprisingly and unfortunately, it’s as true today as it was back then.
Everyone likes to talk about a 'perfect world'. We often say, “In a perfect world…” and then go on to describe some utopic state. But when it comes to cybersecurity there is no such thing. ‘As good as it gets’ is often accepted and ‘proactive defense’ tends to be what we strive for in the midst of a cybercrime epidemic that is expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
The proverbial low hanging fruit when it comes to shoring up your cyber defense is training employees to be more security-aware. End users are your first line of defense and your weakest links.
So, what should your employees be doing, and not doing?
I came across an article in Reader’s Digest recently that’s the perfect place to start. They offer up 18 secrets to borrow from people who never get hacked. Let me start by reiterating, “never” is an ambitious term. I carefully read through the list and distilled it down to the top five tips, with my own observations and recommendations. It’s not that these five are any more important than the rest, but they are the least obvious and most underutilized across the enterprises that my firm, Herjavec Group, works with.
Five Ways To Keep Cyber Safe
- HTTPS Only. Google recommends securing websites with HTTPS. Any HTTP site, without the ‘S’ for Secure, is a cyber accident waiting to happen. Your employees should not slip and fall on an unsecured site. But it happens all the time. There are a surprising number of websites that begin with http:// instead of https://. At first glance, when a user hovers over a hyperlink to one of these unsecured sites, the missing ‘S’ is often overlooked. Why is this so important? Most scam sites are unsecure. Don’t let your employees go there.
- Report Lost Or Stolen Devices. If an employee loses a device or has one stolen – a mobile phone, laptop, tablet, USB drive, or other – then they should immediately report it to your IT or cybersecurity team. Did I say ‘immediately’? YES! STAT! That way the user accounts connected to that device can be disabled and locked out of your network, or monitored for unauthorized access. The tendency by employees is to wait too long before reporting the loss or theft while searching for the device. An employee should not wait until they go home to look for their mobile phone or laptop. Report it right away and if you find it, and can reinstate access later, all the better.
- Have I Been Pwned? Knowledge is power in the war against cybercrime. Troy Hunt, an information security author and instructor, developed a free and powerful resource – the haveibeenpwned.com website – that allows a user to type in their email address and learn if they have an account that has been compromised in a data breach. I highly recommend this site for another reason – your employees should check out the FAQs to learn the basics of data breaches and stolen credentials. This material is great for introductory cybersecurity awareness training and should be reviewed.
- Don’t Use Public USB Chargers. Most of your employees are probably unaware that public USB chargers – for mobile phones, tablets, and laptops – can be tampered with by cybercriminals, and are unsafe. In fact, some charging stations can even download data without user consent, or install malware that could lead to a ransomware infection. The safe practice here is for your employees to always use their own chargers when they are out of the office. Many companies also lock down USB ports, in general, to ensure that no infected USB devices come into contact with a network device. You’ve got to consider your working environment, shared drive access and team communication needs when prioritizing this level of control.
- Turn on Multi-Factor Authentication (MFA). MFA, also known as Two-Factor Authentication (2FA), is a must for every employee, period. It should be turned on in everyone’s email app (corporate and personal), as well as in every app that supports it. Microsoft and Google have stated that MFA will stop 99 percent of automated attacks. MFA will save your employees, and your organization, from cyber intrusions. It’s a must.
At the end of the day, when it comes to your team and your employees there is no sure-fire, perfect way to prevent a cyber-attack. But you can reduce your risk by training, testing and retraining on a regular basis. I encourage you to share these “secrets” and the recommendations with your team – and to challenge your cybersecurity and HR teams on how you’re educating and testing your employees. Don’t be disappointed when a team member is identified as the weakest link in an attack if you didn’t have the right controls in place.
Let’s not settle for “As good as it gets”.
To Your Success,
Originally posted on cybersecurityceo.com