The below content was originally published on the Insperity blog, a great source of information for business and HR best practices.
As cybercriminals advance in sophistication, the looming threat of cyberattacks poses a significant risk to businesses. And with a surge in remote and hybrid work setups, the vulnerabilities increase, making it imperative for employers to bolster their cybersecurity defenses.
Employers need to:
- Maintain awareness and vigilance
- Educate employees
- Deploy proactive measures to reduce risks and prevent attacks
It doesn’t matter whether your company is large, midsize or small, and public or private sector – cybercriminals don’t discriminate. In fact, smaller businesses are attractive to bad actors because they typically have lower IT budgets and weaker cybersecurity measures in place.
In this blog, we explore 12 crucial cybersecurity practices to shield your business, ranging from securing remote workspaces and establishing secure connections to thwarting phishing scams and leveraging IT expertise.
What are the consequences of poor cybersecurity?
The impact of cyberattacks on businesses can be widespread and devastating:
- Breach of sensitive personally identifiable data, which can lead to identity theft
- Disclosure of proprietary company information, such as intellectual property, which can harm a company’s competitive advantage
- Loss of confidential employee or client information
- Financial and legal penalties if the company is found to have not properly protected certain data
- Damage to company devices and systems
- Harm to company brand
- Downtime and the associated loss in revenue
- High IT costs to fix issues and improve security measures going forward
12 cybersecurity practices to have in place now
1. Provide and use only company-issued devices and applications for work
It’s extremely risky to allow employees to use their own devices or unapproved applications when working remotely.
You may not know anything about – nor do you have any control over – the configuration of those operating systems, firewalls, antivirus protection, software updates or authentication requirements.
It can be a risky proposition to allow personal devices to access your company network and resources. Do you want to put sensitive company data at risk of exposure if that device or application is compromised?
If your employees are going to work remotely, a better scenario is to provide them with a company-issued device that’s outfitted with all the necessary protections and vetted to company standards. However, if your organization is unable to deploy company assets, your IT team should consider how they will evaluate personal devices before they can connect to your company network and resources.
2. Physically secure workspaces outside of the office
When employees work outside the office, it’s often at home or in a public space, such as a coffee shop, library, airport or hotel. Just because these tend to be relaxed, casual environments doesn’t mean that employees can let down their guard and become lax about security. This makes them perceived as easy to exploit and therefore especially vulnerable to cyberattacks.
Tips to secure devices outside office workspaces
- Device usage: Minimize the use of personal devices for work.
- Approved applications: Restrict usage to company-approved applications and hardware.
- Family access: Prohibit family members from using company-issued devices.
- Lock screen: Enable a password-protected lock screen on devices within 15 minutes of inactivity. (Your organization can mandate this when employees use company-issued devices.)
- Secure storage: Store devices securely at the end of the workday – preferably in lockable spaces.
- Visibility: Avoid leaving devices exposed or in a spot where they’re visible through a window to prevent theft.
- Document security: Secure loose paperwork, locking it away at the end of the day.
- Videoconferencing: Be aware of what others can see behind or around you. Make sure no sensitive work-related information is visible. This could include:
- Schedules
- Unrelated project or meeting notes
- Confidential client information
- Confidential employee information – for which the inadvertent disclosure could violate certain laws
- Voice-activated devices: Exercise caution with voice-activated, digital home devices that can accidentally record the audio of confidential work phone calls or videoconferences.
- Printing: You may also want to consider the ability of employees to print work-related documents at home. Paper records in a home office could cause a retention problem or data disclosure issue.
3. Establish a secure connection to company systems
To prevent outside parties from eavesdropping on their activity or stealing company data, your employees should use a secure, private Wi-Fi connection when working outside the office.
What does this mean?
The Wi-Fi network should be password protected and the provider of the Wi-Fi should be known. Connecting to “Free Public Wi-Fi” is never a good idea.
Best practices around Wi-Fi connection
- Passwords should be unique and not shared.
- Avoid using a default password on any technology.
- Avoid unsecured, public Wi-Fi networks when working remotely but outside the home.
Additionally, a crucial extra layer of cybersecurity is to use a virtual private network (VPN). A VPN provides a secure connection between your device and your company network. All data transferred between these points is encrypted. The encryption provided by the VPN ensures that criminals can’t eavesdrop on authentication or the data being transferred between your device and your company resources.
An extra benefit of a VPN is the continuity of operations. When employees log into the VPN remotely, if configured correctly, they can access information and perform functions as they normally would in the office but from any location.
4. Ensure cybersecurity in operating systems and software
Because the nature of cyberattacks is always shifting, operating systems and software become exposed to vulnerabilities as flaws are discovered by hackers. Updates, or patches, are designed to fix those vulnerabilities.
Organizations should keep company devices up to date on patches. To access company systems, devices should run a scan to check that all software is updated. This prevents high-risk devices from connecting to company systems.
When it’s time to update your operating system or software, make sure employees download legitimate, approved patches. To remove any ambiguity, you or your IT department should send a direct link to download the patch.
Under no circumstances should employees scour the internet to identify software. Unapproved software or applications may contain viruses or other malicious code.
Best practices around antivirus software
- Some form of antivirus software should always be activated.
- Purchased or free antivirus software is acceptable.
- Don’t allow users to disable the software.
- Keep the software up to date – similar to patching. If your subscription has expired, obtain or renew your subscription.
5. Don’t permit users to have administrative privileges
Administrative rights need to be controlled, especially in the realm of cybersecurity.
Users of company-issued devices – your employees – shouldn’t enjoy administrative privileges on those same devices. In other words, they shouldn’t be able to download software or otherwise alter the operating system without the approval of you or your IT department. Otherwise, your systems and devices could be vulnerable to viruses.
Instead, all software updates should be initiated on your end. This helps ensure that company-issued devices operate in an approved fashion.
6. Avoid easily compromised passwords
Some best practices around passwords
- Combine upper- and lower-case letters.
- Include numbers and special characters.
- Make the length at least 10 characters.
- Mandate a password change after a set time period. If your company doesn’t use multifactor authentication, every 30 days is standard. If you use multifactor authentication, changing passwords annually is sufficient.
- Passwords should be unique and complex. Password managers can be a great tool to generate strong passwords.
- Passwords should never be shared.
7. Set up user authentication for company devices and networks
What is user authentication in the context of cybersecurity?
It’s proving to a system that whoever is trying to log in is who they say they are. It requires system users to provide more information beyond a password to verify their identity.
Strong authentication should always be required to log in to company devices and access company networks.
Whenever possible, deploy multifactor authentication – two or more verification steps – for an added layer of security during login. Multifactor authentication is commonly referred to as:
- Something you know (password)
- Something you have (token, SMS pin, digital certificate, software or badge)
- Something you are (fingerprint or facial recognition)
Note: SMS is falling out of favor as a verification method because of increased SIM card attacks. Now, the most popular verification method is a software authenticator, such as Google Authenticator.
Without multifactor authentication, users who have been phished may allow cybercriminals to access your company systems.
8. Beware of phishing scams
A phishing attack is when a bad actor disguises as a legitimate source to obtain sensitive data from your company and employees or infect your devices and systems with malware.
With the rise of artificial intelligence (AI), these attacks have become increasingly sophisticated and harder to detect as obvious scams.
The latest trends?
- Bad actors – especially those from foreign countries or who speak English as a second language – can leverage AI to compose convincing-looking emails and websites, free of the usual red-flag grammar issues or misspellings.
- AI can even be used to imitate a known party’s voice, such as an employee or customer. All hackers need is a short clip of someone’s voice and they can recreate it for nefarious purposes. Today, there’s a real risk that the person you think you’re speaking with on the phone is fake.
Tips to help your employees avoid phishing scams
EMAIL
- Have a healthy skepticism about every email that enters your inbox.
- Watch out for email senders who use suspicious or misleading domain names, or unusual subject lines. If you’re suspicious about the sender, don’t open the email.
- Never open attachments or click on links embedded into emails from senders who you don’t recognize.
- Report a suspicious email to your IT department – don’t respond to it.
- Reach out to your IT help desk with questions or concerns.
- Be very careful about entering passwords when being directed by an email. Be confident you know the destination is legitimate.
FAKE WEBSITES
- These sites may provide encryption to enhance the appearance of legitimacy.
- Pay careful attention to website links to confirm that you’re visiting the correct site. Cybercriminals will subtly misspell website links, so they’re close enough to the site they’re imitating to appear legitimate and fool you.
- Enable multifactor authentication for every account login you can.
- Don’t follow links from within an email. Open your browser and enter the correct link to where you want to go. Don’t trust that the email is taking you to the correct destination.
FRAUDULENT PHONE CALLS
- Authenticate the person you’re speaking with at the beginning of every call – before sharing sensitive information.
- Use some type of outside authentication method, such as a callback, security questions, a rotating key presented by a software authentication app similar to Microsoft Authenticator or visual confirmation of website sign-in.
It’s important that you test how employees respond to phishing attempts in the real world. That’s why your IT department should try to phish your employees at regular intervals. Employees who fail the test must undergo anti-phishing training.
9. Stop outsiders from crashing videoconferences
Cybercriminal hacking into conferences has become a major problem. Unwanted attendees often interrupt videoconferences for harmless, albeit annoying disruption, but occasionally it’s to eavesdrop and steal information.
How to stop videoconference intruders
- Don’t use the same personal meeting ID for all meetings. Instead, use a randomly generated meeting ID exclusive to each specific meeting.
- Enable a waiting-room feature when available, which will allow you to grant access to each participant.
- Require a meeting password.
- Once the meeting begins and all participants are present, lock the meeting to outsiders.
- Don’t publish the meeting ID on any public platform, such as social media.
Additionally, avoid downloading unapproved videoconferencing applications, which could be infected with viruses.
10. Have a disaster-recovery plan
When employees work remotely, you just don’t have the same level of control over the security of your devices as you do when they work in the office.
What will you do if one of these scenarios impacts your devices?
- A fire that destroys hardware, paper records or data backups
- Floods and other natural disasters
- Burglary
- Employee loses a device
- Damage associated with downloading a virus-affected application or resulting from other malicious activity by cybercriminals
- Some other type of preventable damage associated with the home environment (for example, someone spills their drink on a laptop or drops a device)
When any of these events happen, valuable company data can be exposed to outside parties or is lost. This is known as a technology disaster.
Some practices to include in a disaster-recovery plan
- Create a system that will back up or sync data from remote users’ devices to a centralized repository, such as a file server or collaboration site.
- If there’s no central repository, ask employees to regularly back up the content on their devices to company servers.
- Force data and content into a central repository that’s VPN accessible and/or cloud based.
- Don’t permit employees to save data to external drives. You may even consider restricting where data can be stored on company-issued devices.
- In the cases of misplacement or theft, consider implementing a functionality that can remotely wipe the device of all company data and software. Failure to follow this step may lead to a data disclosure and legal action.
- Instruct employees to contact their IT helpdesk as soon as an issue occurs.
- Obtain cybersecurity insurance to mitigate the effects of a cyberattack on your company.
11. Establish cybersecurity remote work and data-protection policies
These policies are important and offer valuable guidance to your employees. Clearly written security policies can reduce the risk and uncertainty during an emergency event.
The cybersecurity issues and prevention tips addressed in this blog could be formalized in a written remote-work policy and data-protection policy. Both should be documented in your employee handbook.
12. Leverage IT expertise
Your company’s sensitive data and the integrity of your company’s IT infrastructure are at stake.
This is a highly technical, complex area that calls for the involvement of experts. And it’s a full-time job on its own to keep up with the latest cyberattack techniques and stay on top of cybercriminals’ efforts to infiltrate your company.
If you don’t have qualified in-house IT expertise and resources continually managing this for you, you should strongly consider hiring an IT consultant to:
- Optimize your cybersecurity efforts
- Build an in-depth defense
- Promptly resolve attacks when they happen
If your cybersecurity strategy is left to an unskilled resource, you will find that you have a poorly defended infrastructure.
Summing it all up
No business is immune from cyberattacks. The fact is, it’s an escalating threat that will only continue to grow and impact all employees. However, many companies have remote employees, which can exacerbate their cybersecurity risks. Follow the 12 steps outlined here to implement cybersecurity best practices and avoid the many harmful consequences of a successful attack.