Last week I gave a cyber security awareness session for the EuroCham office staff. During my preparation for this session, I saw that all the experts are saying a few basic but important things. To understand what kind of behavior is harmful for an organization you have to understand what kind of risks are out there. In this post, I give the most basic but very important steps every organization should take to keep their work safe and secure.

Amanuel Flobbe gives cyber security awareness training European Chamber of Commerce Vietnam.

First off it has to be said that I am not a cyber security expert.

However, working with different IT startups and having an outsourcing agency for more than 5 years has forced me to seriously learn more about this topic, not only a big matter from a sales perspective but also an action to keep the teams of companies safe and secure. In this post, I will focus on the online and offline steps an organization should always take, apart from the advice you receive from a cyber security expert that can install firewalls, endpoint security systems, network security, and other software- and hardware measurements.

I have talked with different managers of small and bigger organizations over the past few years. They all told me the same problem they have on this topic: ” We tell our teams how important it is but after a week everything is back to business as usual.” They admitted that this also included themselves. This is in no way strange or unexpected and I dare to say it is within the expectations of experts and hackers. What I will mention below should become part of the work culture and an organization should add the behavior to the assessment cycle of the staff to make sure it is considered a core value.

Definition of hacking: unauthorized access to systems, data, devices, processes of an organisation or person

Just to be sure we are on the same page here is a list of types of attacks that a company can endure.

  • Phishing online and offline – gathering information about a person by faking website with malware or personal credentials
  • Key logging – software that logs all your keystrokes and send it to a remote pc/server
  • Dos\DDos attack – Denail of Service attack will aim at asking too much of you system that it will not work normally anymore
  • Waterhole attacks – Hackers will find out the weak spot like you use a public WiFi at your favorite coffee shop and modify with a fake WiFi your banking website
  • Trojans or viruses – small programs that give the hacker access to control your system or access your data
  • Cookie theft – Almost every website saves information about you to make the use much more easy. If a hacker gets access to this information he can authenticate himself as you on a browser for your sites
  • And many more…. But these are the once important for the behavior steps mentioned below.

As you can see in almost everything you do online hackers have found a way to get your personal or work information. This means that with that information they are able to:

  • Steal your identity and sign digital contracts and spend your money
  • Commit crimes in your name or with your devises
  • Hold your data for ransom until you pay them (in favor or cash)
  • Have a leverage over you and bride you into paying or doing unwanted favors
  • Creating a profile and hack your private or work and create a leverage situation or simply sell or destroy everything online (reputation or data)

As you can see the effects of an attack can vary from radical private or work-related losses to maybe even actions you will never notice until it is way too late to take action. Below are the basic steps for an organization to prevent a lot of attempts in the first place. These should never be the only measurements but they will definitely help.

1. Restrict physical access to the workplace for unauthorized people

When it is possible, you should create a culture in which non-employee or unauthorized people do not have to be at the workplace computer, server, or paperback information is accessible. Always accompany third-party suppliers and guests when they are in the building. Next to this, it is wise to create waiting rooms and meeting rooms separate from the workspace. This will reduce the chances of unwanted visitors roaming freely between the staff or around the coffee corners where they discuss work-related topics.

2. Always lock your screen with a password if your not behind it

It is one of the easiest logical things to do, but so many never do it or do not even have a password. Do this when you are not directly sitting behind your screen. Even if you are in the same room lock your screen. The same thing is for phones and other devices. Make sure access is only possible when you are there. Having unrestricted access to your files, email and social media should be the worst nightmare of anyone in this digital age. Make this a habit of the team and yourself and dare to talk with each other about this. It is a simple habit that will go automatically quite fast.

3. Password strength and rules for saving them

Having a password is great and we assume that a password alone is enough to secure your data and privacy. Although this is true in some cases, many people tend to use the same password (or small variations of one) for all their systems and files. On top of that, we see that many passwords are quite weak and will take an average hacker not much effort to break them. One of the things we see a lot in small companies, and I cannot stress enough how not oké this is. Having a password file in excel! This is perceived as an easy way to save the many passwords you have to remember. Even share this on a shared server to make sure all colleagues have access. Please stop doing this and I will tell you why. Even if you have a firewall and an up-to-date antivirus that check on malware. Still, daily your device can be infected and data can be stolen without you even noticing it. A strong password on an excel file is like a thin wooden door with a heavy lock. Even if the lock is strong there are many ways to just blow out the doors.

A good tip for people who find it hard to remember passwords. Use a sentence you can easily remember with capitals and numbers and at least 4 words.

I would advise you to use password managers like the once your antivirus software has or a Keepass, 1Password, or Lastpass. Choose depending on your own needs and that of your organization. Some have also free options for individuals, but in an organization, sharing and managing options will be important.

4. Updates and antivirus

This one speaks for itself but always stay up to date with your software. Many updates these days do not only contain new features but are also security updates. Not updating means that known issues with your software are not taken care of and you are vulnerable to things that are commonly known as issues in the hacker community. This means also updating your wifi router firmware and other devices that are used in your network at the office or home. Please start using real antivirus programs with the support that really secures your devices (yes all of them). Not only your PC but also your phones and servers since access to them has the same result as access to your computer.

5. Do not download illegal movies, music or programs

Not only from the point of view of paying the people who worked hard to create the products but also for security reasons it is important to not use illegal products. It is commonly known that in a lot of “free” products there are traces of malware. Hackers, governments, and other parties use “free” products to gain access to your device. It is quite simple because the user allows these programs or files to be on the same disk as all the important files without any firewall or security between them. By downloading, installing, or using these products you as a user create a situation that even your antivirus will not act because the user approved it. Via this way keyloggers are easily distributed to a large number of devices. The basic rule here is that “free” should be avoided and chosen for an official retailer.

6. Do not share your work devices with other people

Sharing your device with family, friends, or even others is not wise. Not only because they could want to harm you or your company, but simply because they do have not the same awareness of the risk they will encounter when they are using the device. It is a matter of responsible behavior and only accessing content needed for work. For example, a kid who just wants to play games easily goes from a game site via advertisements to bit more obscure sites. Having to install a plugin to play a video or a game is easily done but the consequence could be quite severe. All the points of rule no. 5 could easily happen even if there are no bad intentions.

7. No one should have access to it all

As an owner and director, the first thing you always want is to have control over everything. This is one of the reasons you may be a good manager, but security-wise this is an issue. If you have staff and different departments make sure that the director cannot be the single point of failure. If a hacker targets a CEO, director, or owner successfully the whole organization could be in big trouble. Even in the military, for some heavy choices, there needs to be cooperation between multiple officers before an order can be carried out. Protect your organization and make sure not one person could be the single point of failure of the entire organization.

8. Company processes should be confidential information

Next to not letting unauthorized people into the office, it is also important that nobody outside your office is aware of the exact processes and structure of the organization. This does not mean you have to shield everything and cannot be an open company, but there is a fine line here. These days phishing is not only online anymore, more and more high targets get infiltrated via a friendly face at the bar or at network events. There are even cases known that strangers just show up many times at an office till the staff assumed that they worked there. Day by day they got more access and over time they were seen as colleagues while they did not work there. Their only objective was gathering information for competitors or to be able to hack the targets. The bigger the organization the more risk there is of this happening. The best way to get more information is to know who to target and what normal procures are. Therefore company work processes are only on a need to know basis including friends and family.

9. Close your social media account for strangers

This is a sensitive topic for a lot of people. Why can work say things about my private life? The problem here is that private life and work are always mixed up. Only a hand full of people can really separate it to even a degree that the passwords will not be based on their private life. But also for yourself, it would be good to not give total strangers all your personal information. Information via social media is a great source for phishing and creating a profile for identity theft. Once that happens it is very hard to recover from it and to prove it was not you who did those things. Because they have all your information online identity theft is a rising issue at the moment.

10. Use common sense and make it a open topic to discuss

In the and your behavior is based on your common sense. Create an environment where people will want to talk about this subject. A place where people want to report incidents with being punished or laughed at. Since this is something everyone should be aware of and anyone can be a target it is important that the management and IT department get every signal to build up a clear risk profile and can take countermeasures. Most attacks succeed because people are not noticing or alerting their managers.

Once you see your device is under attack or strange things are happening there are two important steps:

  1. Disconnect from the network and internet
  2. Warn the IT department and manager

As I stated before. These are best practices and I advise every company to get an audit from a security company and follow their advice. It cost money but it will be less than losing all data and reputation.

Blog Overview