Password reuse continues to be a threat to companies everywhere—a recent report found that 64% of people continue to use passwords that have been exposed in a breach. Poor password hygiene by end-users can open up your organization to security breaches and make your company’s sensitive data vulnerable to cyber-attack.
Preventing cybersecurity attacks starts with preparing your frontline of defense: your employees. Cybersecurity awareness training helps them become more aware, alert, and knowledgeable against the latest cyber threat tactics targeting end-users.
While it can be difficult to prevent all users’ “bad” behavior, there are several cybersecurity best practices to train and regularly remind your employees of.
Secure End-User Accounts
Credential-based endpoints are the most vulnerable attack surface in any organization. Securing end-user accounts with these 4 best practices is important to protecting your entire organization from risk.
1. Enforce password policy compliance
Employees should have no choice but to comply with the password policy rules of your organization. With Specops Password Policy, for instance, organizations can enforce length and complexity requirements to ensure that their password is as strong as possible while blocking over 3 billion known breached passwords.
2. Utilize MFA whenever possible
To further secure end-user accounts, the implementation of multifactor authentication (MFA) should be mandatory for end-users logging into work apps, or making a change like resetting their passwords. When it comes to the MFA process, the more ways you can verify your identity when logging in, the harder it is for someone to steal your information.
3. Don’t leave information unprotected
Another best practice pertaining to account information is to encourage employees to lock their screens when they’re not around. Leaving screens unlocked increases the risk of someone viewing or accessing sensitive data.
4. Use a password manager
It’s also important for your organization to encourage the use of a password manager, not only for the individual end-user but to utilize shared vault features to prevent insecure password sharing among employees.
Protect Company Equipment
It’s easy, especially in a software-lead organization, to forget the importance of secure hardware. But as the IT pros in manufacturing or healthcare will tell you, it’s vital to secure your device infrastructure as well as your network.
When it comes to employees protecting their equipment from cybersecurity threats, there are a few ways internal training and strong policies can help.
5. All hardware should come from IT
To start, all new purchases should come directly through the IT department. IT is responsible for not only setting up the employee on the company’s network, but also for making sure the computer is properly equipped with security and OS or system support. This initial setup helps the IT department remotely maintain your computer to ensure your software is up to date and is set up to auto update.
6. Mobile devices need encryption too
Phones should have a lock screen and enable message encryption. This policy protects critical texts such as MFA security codes from being visible on a locked screen. This way, only those who can identify themselves with the correct password can read the messages.
7. Shut down devices properly, and often
It’s common for employees to keep their computers running throughout the work week, but shutting them down is essential for the health—and security—of the equipment. Most software updates require you to restart your computer in order to run successfully, so shutting down equipment is necessary for regular software maintenance.
8. Don’t disable built-in protections
Employees should also be encouraged to keep firewalls enabled. Firewalls are put in place to block certain types of network traffic which keeps your system safe from external threats. Disabling the firewall opens up the organization to malicious attacks which rely on open network ports.
Finally, as an additional layer of protection, employees should always enable antivirus. Antivirus software offers real-time protection by scanning new files and will immediately alert the user if it detects any threats.
Data Privacy and Storage Policies
Data privacy is another huge piece of the IT security infrastructure. Encouraging these data storage best practices, as well as implementing a zero-trust framework in your organization, can ensure none of your end-users are invertedly putting your data at risk.
9. No personal data storage
Many companies encourage employees to send everything to the cloud, whether for file sharing or storage. The cloud offers more control over who can access internal information. If this is the policy at your company, then there shouldn’t be any company information saved on a user’s personal storage.
10. Discourage USBs
Additionally, make it a point to discourage the use of USB drives. USBs are not only small and easy to lose, but they’re usually not encrypted. This means that if a user plugs one into a personal or public computer that isn’t secure, and then uses it on work equipment, the USB can then transfer and introduce a virus into your network.
If an end-user needs a USB and there is no other option, make sure it’s being purchased and looked over by your IT department
11. Beware of suspicious emails and texts
Employees should also be encouraged to pay close attention to suspicious-looking emails – and always send them to IT if unsure. The IT department can conduct anti-phishing campaigns to help train employees on security awareness and what to look out for when it comes to suspicious emails.
12. Consider the environment, and your data security
All employees should also avoid printing anything with company data. Loose papers can end up in the wrong hands once they leave the employee’s home or the office.
While printing should be limited, there are cases where you may need to print a document—in which case employees should be encouraged to shred anything they’re no longer using.
Handle Software & Licensing Responsibly
Lastly, end-user education in cybersecurity 101 should include the risks of software on work devices. Organizations should have clear guidelines on how and when end-users can download or license anything that doesn’t come standard-issue on their work computers. A few guidelines include:
13. Express IT permission for all new downloads
New software downloads should be limited, but if users have to download a program, even a web-based application, they should clear it with IT first.
This is especially important if there isn’t any web application security already in place.
14. MFA on external software is non-optional
Additionally, all external software needs MFA for even greater password protection and security.
You’d be shocked to find out how many work-related apps’ built-in security measures don’t stack up. MFA can help mitigate any 3rd party risk.
Cybersecurity training is a constant practice and a team effort. With regular reminders, training sessions, and support from IT, users can generate more awareness of cybersecurity threats and help protect internal information.
Copyright 2021 Associated Press. All rights reserved.