10 basic cyber security rules for online and offline behavior of staff

06 JUNE 2017

Last week I gave a cyber security awareness session for the EuroCham office staff. During my preparation of this session I saw that all the experts are saying a few basic but important things. To understand what kind of behavior is harmful for a organization you have to understand what kind of risks are out there. In this post I give the most basic but very important steps every organisation should take to keep their work safe and secure.

10 basic cyber security rules for online and offline behavior of staff

First off it has to be said that I am not a cyber security expert.

However, working with different IT startups and having a outsourcing agency for more than 5 years has forced me to seriously learn more about this topic. Not only form a sales or consultant perspective, but also simply to keep the teams of companies safe and secure. In this post I will focus on the online and offline steps an organisation should always take. Next to the advise of a cyber security expert that can install firewalls, endpoint security systems, network security and other software- and hardware measurements.

Image: Amanuel Flobbe gives a cyber security awareness training European Chamber of Commerce Vietnam.

I have talked with different managers of small and bigger organisations over the past few years. They all told me the same problem they have on this topic: ” We tell our teams how important it is but after a week everything is back to business as usual.” They admitted that this also included themselves. This is in no way strange or unexpected and I dare to say it is within the expectations of experts and hackers. What I will mention below should become part of the work culture and an organisation should add the behavior to the assessment cycle of the staff to make sure it is considered a core value.

Definition of hacking: unauthorized access to systems, data, devises, processes of an organisation or person

Just to be sure we are on the same page here is a list of types of attacks that a company can endure.

  • Phishing online and offline – gathering information about a person by faking website with malware or personal credentials
  • Key logging – software that logs all your keystrokes and send it to a remote pc/server
  • Dos\DDos attack – Denail of Service attack will aim at asking too much of you system that it will not work normally anymore
  • Waterhole attacks – Hackers will find out the weak spot like you use a public WiFi at your favorite coffee shop and modify with a fake WiFi your banking website
  • Trojans or viruses – small programs that give the hacker access to control your system or access your data
  • Cookie theft – Almost every website saves information about you to make the use much more easy. If a hacker gets access to this information he can authenticate himself as you on a browser for your sites
  • And many more…. But these are the once important for the behavior steps mentioned below.

As you can see in almost everything you do online hackers have found a way to get your personal or work information. This means that with that information they are able to:

  • Steal your identity and sign digital contracts and spend your money
  • Commit crimes in your name or with your devises
  • Hold your data for ransom until you pay them (in favor or cash)
  • Have a leverage over you and bride you into paying or doing unwanted favors
  • Creating a profile and hack your private or work and create a leverage situation or simply sell or destroy everything online (reputation or data)

As you can see the effects from an attack can vary from radical private or work related losses to maybe even actions you will never notice until it is way too late to take action. Bellow are the basic steps for an organisation to prevent a lot of the attempts in the first place. This should never be the only measurements but they will definitely help.

1. Restrict physical access to the workplace for unauthorized people

When it is possible create a culture where non-employee or unauthorized people do not have to be at the workplace where computer, server or paperback information is accessible. Always accompany third-party suppliers and guests when they are in the building. Next to this it is wise to create waiting rooms and meetingsroom separate from the workspace. This will reduce the chance of unwanted visitors roaming freely between the staff or around the coffee corners where they discuss work related topics.

2. Always lock your screen with a password if your not behind it

It is one of the most easy logic things to do, but so many never do it or do not even have a password. Do this when you are not directly sitting behind your screen. Even if you are in the same room lock your screen. The same thing is for phones and other devices. Make sure access is only possible when you are there. Having unrestricted access to your files, email and social media should be the worst nightmare of anyone in this digital age. Make this a habit of the team and yourself and dare to talk with each other about this. It is a simple habit that will go automatically quite fast.

3. Password strength and rules for saving them

Having a password is great and we assume that a password alone is enough to secure your data and privacy. Although this is true in some cases, many people tent to use the same password (or small variations of one) for all their systems and files. On top of that we see that many passwords are quite weak and will take a average hacker not much effort to break them. One of the things we see a lot in small companies, and I cannot stress enough how not oké this is. Having a password file in excel! This is perceived as easy way to save the many passwords you have to remember. Even share this on a shared server to make sure all colleagues have access. Please stop doing this and I will tell you why. Even if you have a firewall and an up to date antivirus who check on malware. Still daily your device can be infected and data can be stolen without you even noticing it. A strong password on an excel file is like a thin wooden door with a heavy lock. Even if the lock is strong there are many ways to just blow out the doors.

A good tip for people who find it hard to remember passwords. Use a sentence you can easily remember with capitals and numbers and at least 4 words.

I would advice to use password managers like the once you antivirus software has or a Keepass, 1Password or Lastpass. Choose depending on your own needs and that of your organisation. Some have also free options for individual, but in an organisation the sharing and managing options will be important.

4. Updates and antivirus

This one speaks for itself but always stay up to date with your software. Many updates these days do not only contain new features but are also security updates. Not updating means that known issues with your software are not taken care of and you are vulnerable for things that are commonly known as issues in the hacker community. This means also updating your wifi router firmware and other devices that are used in your network at the office or home. Please start using real antivirus programs with support that really secure your devices (yes all of them). Not only your pc, but also your phones and servers since access to them has the same result as access to your computer.

5. Do not download illegal movies, music or programs

Not only from the point of view of paying the people who worked hard to create the products but also for security reasons it is important to not use illegal products. It is commonly known that in a lot of “free” products there are traces of malware. Hackers, governments and other parties use “free” products to gain access to your device. It is quite simple because the user allows these programs or files to be in the same disk as all the important files without any firewall or security between them. By downloading, installing or using these products you as a user create a situation that even your antivirus will not act because the user approved it. Via this way keyloggers are easily distributed to large amount of devices. Basic rule here is that “free” should be avoided and choose for a official retailer.

6. Do not share your work devices with other people

Sharing your device with family, friends or even others is not wise. Not only because they could want to harm you or your company, but simply because they have not the same awareness of risk they will encounter when they are using the device. It is a matter of responsible behavior and only accessing content needed for work. For example a kid who just want to play games easily goes from a gamesite via advertisements to bit more obscure sites. Having to install a plugin to play a video or a game is easily done but the consequence could be quite severe. All the points of rule no. 5 could easily happen even if there are no bad intentions.

7. No one should have access to it all

As a owner and director the first thing you always want is to have control on everything. This is one of the reasons you may be a good manager, but security wise this is an issue. If you have staff and different departments make sure that the director cannot be the single point of failure. If a hacker targets a CEO, director or owner successful the whole organisation could be in big trouble. Even in the military, for some heavy choices there needs to be cooperation between multiple officers before an order can be carried out. Protect your organisation and make sure not one person could be the single point of failure of the entire organisation.

8. Company processes should be confidential information

Next to not letting unauthorized people into the office it is also important that nobody outside your office is aware of the exact processes and structure of the organisation. This does not mean you have to shield everything and cannot be an open company, but there is a fine line here. These days phishing is not only online anymore, more and more high targets get infiltrated via a friendly face at the bar or at network events. There are even cases known that strangers just show up many times at an office till the staff assumed that they worked there. Day by day they got more access and over time they where seen als colleagues while they did not work there. There only objective was gathering information for competitors or to be able to hack the targets. The bigger the organisation the more risk there is of this happening. The best way in to get more information is to know who to target and what normal procures are. Therefore company work processes are only on a need to know basis including friends and family.

9. Close your social media account for strangers

This is a sensitive topic for a lot of people. Why should work say anything about me private live. The problem here is that private live and work are always mixed up. Only a hand full of people can really separate it to even a degree that the passwords will not be based on their private live. But also for yourself it would be good to not give total strangers all your personal information. Information via social media is a great source for phishing and creating a profile for identity theft. Once that happen it is very hard to recover from it and to prove it was not you who did those things. Because they have all your information online identity theft is a rising issue at the moment.

10. Use common sense and make it a open topic to discuss

In the and your behavior is based on your common sense. Create an environment where people will want to talk about this subject. A place where people want to report incidents with being punished or laughed at. Since this is something everyone should be aware of and anyone can be a target it is important that the management and IT department get every signal to build up a clear risk profile and can take counter measures. Most attacks succeed because people are not noticing or alerting their managers.

Once you see your device is under attack or strange things are happening there are two important steps:

  1. Disconnect from the network and internet
  2. Warn the IT department and manager

As I stated before. This are best practices and I advice every company to get an audit from an security company and follow their advice. It cost money but it will be less then losing all data and reputation.