I got a chance to present a cybersecurity awareness session for the EuroCham office staff. During my preparation for this session, I saw that all the experts are saying a few basic but important things. To understand harmful behavior for an organization, you must understand the risks. This post outlines basic but crucial cybersecurity rules every organization should implement to secure the workplace.
Amanuel Flobbe gave cybersecurity awareness training in the European Chamber of Commerce Vietnam.
First of all, it has to be said that I am not a cybersecurity expert.
Having worked with IT startups and offered dedicated teams for over 5 years, I’ve learned the importance of cybersecurity rules in the workplace. Therefore, this post will focus on online and offline cybersecurity rules for organizations, serving as a reference alongside expert advice.
I have talked with different managers of small and larger organizations over the past few years. Many companies struggle with making cybersecurity rules stick. Even after explaining their importance, employees often revert to old habits. This isn’t surprising and is expected by experts and hackers. Thus, organizations should integrate these rules into their work culture and employee evaluations, making them a core value.
Definition of hacking: unauthorized access to systems, data, devices, processes of an organisation or person
Common cybersecurity threats to businesses
Here is a list of types of attacks that a company can endure:
- Phishing online and offline – Gathering information about a person by faking a website with malware or personal credentials
- Keylogging – A software that logs all your keystrokes and sends them to a remote pc/server
- DoS/DDoS attack: Attackers overload your system, making it unusable.
- Waterhole attacks: Hackers exploit weak spots like public Wi-Fi to redirect you to fake websites (e.g., your bank).
- Trojans or viruses – Small programs that give the hacker access to control your system or access your data
- Cookie theft – Almost every website saves information about you to make the user experience much easier. If a hacker gets access to this information, he can authenticate himself as you on a browser for your sites
- And many more…But the above are important for the behavior steps mentioned below.
In almost everything you do online, hackers will find a way to get your personal or work information. This means with that information, they can:
- Steal your identity and sign digital contracts, and spend your money
- Commit crimes under your name or with your devices
- Hold your data for ransom until you pay them (in exchange for cash)
- Have leverage over you and bribe you into paying or doing unwanted favors
- Gaining access to personal or work accounts to create leverage, sell data, or inflict online damage (reputation or data destruction).
The effects of an attack can vary and be unnoticeable sometimes. Below are the basic cybersecurity rules for an organization to prevent a lot of attempts in the first place. These should never be the only measurements, but they will help.
10 Cyber Security Rules and Practices For Your Business
Restrict physical access to the workplace for unauthorized people
Restrict workplace computer, server, and paper-based information access to authorized personnel only. Moreover, always escort third-party suppliers and guests within the building. Separate waiting and meeting rooms from the main workspace to decrease the likelihood of unauthorized visitors freely moving among staff or areas where work topics are discussed.
Always lock your screen with a password if you are not behind it
Lock your screen when you step away from your device, even briefly. Use Windows + L (Windows) or Control + Command + Q (Mac). Apply this to phones and all devices. Unrestricted access to your digital life is a major risk. Make screen locking a team habit and encourage discussion. It’s a simple habit that quickly becomes automatic.
Password strength and rules for saving them
Strong passwords alone often aren’t enough. Many reuse weak passwords across systems, making them easy targets for hackers. Avoid storing passwords in easily accessible files like Excel, even with a strong password, as these files can be compromised.
Tips for stronger passwords:
- Use memorable sentences with capitals, numbers, and at least four words.
- Utilize password managers like KeePass, 1Password, or LastPass.
Choose the application based on your own needs and those of your organization. Some also have free options for individuals. However, in an organization, sharing and managing options will be important.
Keep Software and Antivirus Updated
Update your software regularly, as updates often include security fixes, not just new features. Neglecting updates leaves you vulnerable to known hacker exploits. Update firmware on your Wi-Fi router and other network devices, too. Use authorized antivirus software on all your devices (PCs, phones, servers) with proper support. Hackers can steal data from any of them.
Avoid Downloading Illegal Content
Beware of free antivirus programs, as they can contain malware. Hackers and other malicious actors use “free” products to gain device access. Users often grant permissions to these programs on the same disks where important files are stored, without an adequate firewall or security. Downloading or using such products can disable your antivirus, allowing easy distribution of keyloggers. Always choose official retailers over “free” options.
Don’t Share Work Devices
Sharing work devices with family or friends is risky. Even without malicious intent, they may engage in unsafe online behavior. For instance, a child playing games might inadvertently navigate to dangerous sites and install harmful plugins. This can lead to the issues mentioned in rule #5.
Limit Data Access
While owners and directors naturally want control, giving one person access to all data creates a security vulnerability. If a hacker targets a CEO or director successfully, the entire organization is at risk. Implement a system where critical actions require authorization from multiple individuals to prevent a single point of failure.
Keep Company Processes Confidential
Beyond physical security, keep your organization’s processes and structure private because phishing attacks are evolving beyond online methods. They now include in-person infiltration at social events or even persistent strangers gaining trust within the office. These individuals aim to gather information for competitors or to hack systems. Larger organizations are more susceptible to this.
Limit Social Media Visibility
Be cautious about the personal information you share on social media. Strangers can use this information for phishing attempts and identity theft. If someone acts maliciously under your name using your information, it can be difficult to recover and prove your innocence.
Use Common Sense and Discuss Cybersecurity Openly
Trust your judgment and foster a workplace culture where cybersecurity is openly discussed. Additionally, encourage incident reporting without fear of punishment or ridicule. Management and IT should be informed of all potential issues to build a strong risk profile and implement necessary countermeasures. Most attacks succeed because people fail to notice or report suspicious activity.
Once you see that your device is under attack or strange things are happening, there are two important steps:
- Disconnect from the network and the Internet
- Warn the IT department and manager
These are best practices. I advise every company to get an audit from a security company and follow their advice. It costs money, but it will be less than losing all data and reputation.
