Last week I gave a cyber security awareness session for the EuroCham office staff. During my preparation for this session, I saw that all the experts are saying a few basic but important things. To understand what kind of behavior is harmful for an organization, you have to understand what kind of risks are out there. In this post, I give the most basic but very important cyber security rules that every organization should take to keep their work safe and secure.
First of all, it has to be said that I am not a cyber security expert.
However, working with different IT startups and offering dedicated team service to many clients for more than 5 years has forced me to seriously learn more about this topic, not only a big matter from a sales perspective but also an action to keep the teams of companies safe and secure. In this post, I will focus on the cyber security rules for both online and offline that an organization should always follow. These cyber security rules can be a reference for you, along with the advice you receive from a cyber security expert who can install firewalls, endpoint security systems, network security, and other software- and hardware measurements.
I have talked with different managers of small and bigger organizations over the past few years. They all told me the same problem they have on this topic: ” We tell our teams how important cyber security rules are but after a week everything is back to business as usual.” These high-level officers admitted that this issue also included themselves. This is in no way strange or unexpected and I dare to say it is within the expectations of experts and hackers. What I will mention below should become part of the work culture and an organization should add the behavior to the assessment cycle of the staff to make sure it is considered a core value.
Definition of hacking: unauthorized access to systems, data, devices, processes of an organisation or person
Just to be sure we are on the same page, here is a list of types of attacks that a company can endure:
- Phishing online and offline – Gathering information about a person by faking a website with malware or personal credentials
- Keylogging – A software that logs all your keystrokes and sends it to a remote pc/server
- Dos\DDos attack – Denial of Service attack will aim at asking too much of your system that it will not work normally anymore
- Waterhole attacks – Hackers will find out the weak spot like you use a public WiFi at your favorite coffee shop and modify with a fake WiFi your banking website
- Trojans or viruses – Small programs that give the hacker access to control your system or access your data
- Cookie theft – Almost every website saves information about you to make the use much easier. If a hacker gets access to this information he can authenticate himself as you on a browser for your sites
- And many more…. But the above are important for the behavior steps mentioned below.
As you can see that in almost everything you do online, hackers have found a way to get your personal or work information. This means with that information they can:
- Steal your identity and sign digital contracts and spend your money
- Commit crimes under your name or with your devices
- Hold your data for ransom until you pay them (in favor of cash)
- Have leverage over you and bride you into paying or doing unwanted favors
- Creating a profile and hacking your private or work and create a leverage situation or simply sell or destroy everything online (reputation or data)
As you can see the effects of an attack can vary from radical private or work-related losses to maybe even actions you will never notice until it is way too late to take action. Below are the basic cyber security rules for an organization to prevent a lot of attempts in the first place. These should never be the only measurements but they will help.
10 Cyber Security Rules and Practices For Your Business
1. Restrict physical access to the workplace for unauthorized people
When it is possible, you should create a culture in which non-employee or unauthorized people are not allowed to access the workplace computer, server, or paperback information. Always accompany third-party suppliers and guests when they are in the building. Furthermore, it is wise to create waiting rooms and meeting rooms separate from the workspace. This will reduce the chances of unwanted visitors roaming freely between the staff or around the coffee corners where your staff discuss work-related topics.
2. Always lock your screen with a password if you are not behind it
It is one of the easiest logical things to do, but so many never do it or do not even have a password. Do this when you are not directly sitting behind your screen. A quick shortcut key to lock your window is the combination of keys Windows + L for Windows or Control + Command + Q for Macbook. Even if you are in the same room or just leaving your station to have a small talk with your colleagues, always lock your screen. The same rules apply to phones and other devices. Make sure accessibility to your devices is only possible when you are there. Having unrestricted access to your files, email and social media should be the worst nightmare of anyone in this digital age. Make this a habit of the team and yourself and dare to talk with each other about this. It is a simple habit that will go automatically quite fast.
3. Password strength and rules for saving them
Having a password is great and we assume that a password alone is enough to secure your data and privacy. Although this is true in some cases, many people tend to use the same password (or small variations of one) for all their systems and files. On top of that, we see that many passwords are quite weak and will take just a little effort for an average hacker to break them. This is one of the small issues I have been witnessing during the time I work with startup clients who came to us for hiring dedicated developers. Some people use another tactic: having a password file in excel! This is perceived as an easy way to save the many passwords you have to remember and they can even share the file on a shared server to make sure all colleagues have access. Please stop doing this and I will tell you why. Even if you have a firewall and an up-to-date antivirus that check on malware, still, your device can be infected and your data can be stolen without you even noticing it. A strong password on an excel file is like a thin wooden door with a heavy lock. Even if the lock is strong, there are many ways to just blow out the doors.
A good tip for people who find it hard to remember passwords is to use a sentence you can easily remember with capitals and numbers and at least 4 words.
I would advise you to use password managers like what you are having or some famous applications such as Keepass, 1Password, or Lastpass. Choose the application based on your own need and that of your organization. Some have also free options for individuals, but in an organization, sharing and managing options will be important.
4. Updates and antivirus to avoid cyber security attacks
This one speaks for itself but please always stay up to date with your software. Many updates these days do not only contain new features but are also security updates. Not updating means that known issues with your software are not taken care of and you are vulnerable to things that are commonly known as issues in the hacker community. This means also updating your wifi router firmware and other devices that are used in your network at the office or home. Please start using authorized antivirus programs with the support that really secures your devices (yes all of them). Not only your PC but also your phones and servers are at threat of attacks because hackers still can steal the information from your phones as they can to your PC.
5. Do not download illegal movies, music, or programs
Many people have the habit of using free antivirus programs but it is commonly known that in a lot of those free products, there are traces of malware. Hackers, governments, and other parties use “free” products to gain access to your device. It is quite simple because users often allow these programs or files to be on the same disk where they store all the important files without any firewall or security. By downloading, installing, or using these products, you as a user, create a situation in which your antivirus will not work properly. Via this way keyloggers are easily distributed to a large number of devices. The basic rule here is that “free” should be avoided and chosen for an official retailer.
6. Do not share your work devices with other people
Sharing your device with family, friends, or even others is not wise. Not only because they could want to harm you or your company, but simply because they do have not the same awareness of the risk they will encounter when they are using the device. It is a matter of responsible behavior. For example, a kid who just wants to play games easily goes from a game site via advertisements to bit more obscure sites. Installing a plugin to play a video or a game is easily done but the consequence could be quite severe. All the points of rule no. 5 could easily happen even if there is no bad intention.
7. No one should have access to all data
As an owner and director, the first thing you always want is to have control over everything. This is one of the reasons you may be a good manager, but security-wise this is an issue. If you have staff and different departments make sure that the director cannot be the single point of failure. If a hacker targets a CEO, director, or owner successfully the whole organization could be in big trouble. Even in the military, for some heavy choices, there needs to be cooperation between multiple officers before an order can be carried out. Protect your organization and make sure no one could be the single point of failure of the entire organization.
8. Company processes should be confidential information
Apart from rule No.1, it is also important that nobody outside your office is aware of the exact processes and structure of the organization. This does not mean you have to shield everything and cannot be an open company, but there is a fine line here. These days phishing is not only online anymore, more and more high targets get infiltrated via a friendly face at the bar or network events. There are even cases that strangers just show up many times at an office until the staff notices that they are not official company employees. Day by day, they got more access and over time they are seen as colleagues whereas they are truly strangers. Their only objective was gathering information for competitors or hacking the targets. The bigger the organization, the higher this possibility occurs.
9. Close your social media account for strangers
This is a sensitive topic for a lot of people. For many, work says a lot of things about their private life or to some, their private life and work often are mixed up. Only a handful of people can separate it to even a degree that the passwords will not be chosen in relation to someone close to them. To be safe for yourself, it would be good to not give total strangers all your personal information. Information via social media is a great source for phishing and creating a profile for identity theft. Once someone takes bad actions under your name, it is very hard to recover and to prove that action was not taken by you because they have all your identity information.
10. Use common sense and make cyber security rules an open topic to discuss
Your behavior is based on your common sense. Create an environment where people will want to talk about this subject. A place where people want to report incidents without being punished or laughed at. Since this is something everyone should be aware of and anyone can be a target, it is important that the management and IT department get every signal to build up a clear risk profile and can take countermeasures. Most attacks succeed because people are not noticing or alerting their managers.
Once you see your device is under attack or strange things are happening there are two important steps:
- Disconnect from the network and internet
- Warn the IT department and manager
As I stated before, these are best practices and I advise every company to get an audit from a security company and follow their advice. It cost money but it will be less than losing all data and reputation.