Business employees, regardless of their role, should have a fundamental understanding of digital security to protect the organisation and its data. Knowledge about, e.g., password management, phishing, data protection, etc., should be included in their induction and ongoing training processes.
The vulnerabilities that hackers find to “enter” organisations are found either in the lack of secure systems or in the lack of training of people.
Let’s elaborate here on the basic knowledge that employees should have about the security of business systems.
To begin with, password management is an employee’s basic knowledge. Employees should know how to create strong, unique passwords for each account and system. Encouraging the use of password managers to securely store and manage them is also important. Where possible, the enablement of two-factor authentication (2FA) adds an extra layer of protection.
A popular method hackers use is phishing. Train employees so they can spot suspicious emails, messages, or phone calls that attempt to steal sensitive information. If an employee suspects a phishing attack, he/she should know how to report it to the security team and avoid clicking on links or opening attachments.
If people aren’t careful, no firewall is enough.
Scammers are constantly finding ways to trap victims. “Methods” such as pretexting, baiting and tailgating trick unsuspecting people into entering systems. Training is also necessary in these methods, whether we refer to a work or private environment. With pretexting, someone pretends to be, for example, from the bank, the tax office, etc., with the aim of extracting username/password/one-time codes (OTP) from an authorised user. With baiting, a malicious person deliberately leaves a USB stick in an office of a company that has been visited for some unrelated reason. The unsuspecting user inserts the USB into his/her computer, and then a suitably modified program enters the company’s internal systems to gain access. Tailgating is the method in which an unauthorised user “hangs” behind someone who has access, for example, with a card to a space. Thus, he/she gains access to space without having the appropriate certification for it.
Your company’s data is as valuable as your physical property. Employees not only should understand the importance of protecting sensitive business and customer data, but they should also know when to use encryption (e.g., for emails or data storage) to ensure data is protected both in transit and at rest. Train them to use approved platforms for sharing documents and files securely.
Ensure device security. Make sure your operating system, apps, and antivirus software are regularly updated to patch security vulnerabilities and all devices (computers, mobile phones, etc.) are locked. Notify employees that they should avoid installing unapproved software or applications, which may pose security risks. Set a procedure for reporting lost or stolen devices immediately and know how to remotely wipe sensitive data if possible. Of crucial importance is the physical security of devices, e.g., ensure who have physical access to the workplace and sensitive areas, avoid leaving sensitive documents or unlocked devices unattended, etc.
Take social engineering seriously. The training of employees to avoid the provision of access to systems or information and to verify identities, especially when it comes to requests for access to sensitive data or systems, is imperative.
Since remote working is an up-to-date practice, train them respectively so that they avoid using public Wi-Fi for accessing company systems or sensitive data unless they use a Virtual Private Network (VPN).
Security culture starts from within, so be mindful in setting strict procedures when it comes to incidents’ reporting. No matter what their job description, they should all be aware of the reporting procedures on how to report security breaches or suspicious activity to the IT/security team.
By fostering these basic security practices, employees can significantly reduce the risk of security breaches and contribute to maintaining
a secure business environment.