6 Ways To Build a Culture of Cybersecurity Awareness

Cyber Liability Insurance

Cybersecurity isn’t just for tech companies. It’s an essential line of defense for every business that deals with payment information and customer data. Data breaches are expensive to resolve and can permanently damage your customers’ trust in you. Good cybersecurity practices minimize the risk of a breach.

Even the smallest businesses can benefit from creating a culture of cybersecurity awareness. These 6 strategies are simple and effective ways to do so. They can be easily scaled up or down to fit your business’s size and sector, helping you and your employees keep pace with today’s cybersecurity threats.

1. Maintain a Secure Office Network

Wi-Fi networks can be serious security vulnerabilities for your business, especially if they’re still set to their default factory settings, which are easy for hackers to guess and exploit. According to a major cybercrime survey conducted by security company Centrify, networks made up 26% of the major attack points in US cyberattacks in 2018, second only to software attacks.

One of the most important ways to keep your business safe is to secure your Wi-Fi network:

  • Change all default passwords, including the password of the router itself, which is often set to a factory default. Passwords should be long, hard to guess, and include numbers and special characters. The password shouldn’t be left written down anywhere.
  • If you offer public guest Wi-Fi, keep it separate from your internal business Wi-Fi. Don’t allow employees to use the public network, and don’t conduct business on any other public network without using a VPN (virtual private network) to create an additional layer of security.
  • Change the default name of the network, giving as little identifying information as possible. For example, instead of using your business’s name as the name of the network, try something nondescript like “wifi network.” In this context, name recognition is a bad thing, since it makes it easier for hackers to identify your network and attack it.

If you have remote workers, consider asking them to take the same security steps on their home Wi-Fi. For an additional layer of security, you should also consider requiring remote workers to use VPNs.

2. Require Your Employees to Use Two-Factor Authentication

Two-factor authentication is a security measure that requires two forms of identification on sign-in. One common form of two-factor authentication involves having a random code—basically a temporary second password—texted or emailed to you each time you try to sign in.

Two-factor authentication slows hackers down. Instead of getting instant access to your account if they successfully steal your password, they’ll also need to have access to your phone, email account or biometrics like a fingerprint, all of which are much harder to steal.

3. Keep Devices Secured and Password-Protected

All network-connected company equipment, especially computers and phones, should be password-protected. Either each device should have a unique password, or each employee should have their own unique password that can be used across devices.

If employees are having trouble remembering their passwords, purchasing a business subscription to a secure password manager like DashLane or LastPass can help prevent them from reusing passwords or using weak ones like “admin” or “12345.”

 These services store employees’ passwords in a secure vault behind one master password, so they only have to remember one password instead of dozens. Password managers can, and should, be set up to use two-factor authentication.

Physical security measures like keys, keycards, tokens and badges are also an excellent way to restrict access and keep company devices secure.

4. Limit Who Can Access Your Data

Each person or system that accesses your data is a potential weak point in your cybersecurity. Limiting how much access employees, customers and vendors have to your information isn’t paranoia—it’s good cybersecurity hygiene:

  • Consider password-protecting spreadsheets and databases. Keep track of who has access to what, so it’s easier to track down where a breach came from if one occurs.
  • When employees quit, or are laid off or fired, ensure that their system access is terminated right away, preferably before they leave the building. This is especially true for IT personnel and social media managers who have the “keys to the kingdom” and could do a lot of damage very quickly.
  • Ask employees to ensure that no sensitive information is visible in the background of photos or videos taken in the office, especially if they plan to post them on social media.
  • Use firewalls and encryption to create additional barriers to entry.

These steps are especially important for managing so-called “insider threats”: disgruntled employees, vendors and other insiders looking to get even. If these insiders don’t have easy ammunition to use against you, such as crucial passwords, then they’re likely to decide that sabotage is more trouble than it’s worth.

5. Take Phishing and Other Social Engineering Scams Seriously

Social engineering is a special kind of hacking. Instead of exploiting code and technology, social engineers try to manipulate social norms in order to get unwitting victims to hand over the information they want, such as credit card numbers or passwords.

According to the same Centrify cybercrime survey, humans were the primary attack point for 11% of US cyberattacks in 2018. Common social engineering techniques used by hackers include:

  • Email phishing: Using official-looking emails to get employees to hand over valuable information. Phishers might create emails that look like they come from the IRS or regulatory agencies. Other phishers might pretend to be friends, family, coworkers or bosses.
  • Phone scams: Like email phishing, but over the phone.  Scammers often pose as potential vendors in order to steal company credit card information when an employee places an “order.” (Unsurprisingly, the merchandise will never arrive.)
  • Baiting: Creating tempting fake prizes or deals that direct employees to a malicious web page. These web pages install malware or capture passwords and other valuable information when employees attempt to log in to get the goodies.
  • Generating panic: Impersonating a boss or other authority figure in order to threaten employees with negative consequences if they don’t comply with their demands, pushing them to act out of fear and fall for scams they might otherwise be able to avoid.

Social engineering exploits underlying confusion and mistrust. The more honest and transparent your workplace is, the less susceptible you’ll be to this kind of hacking.

Clear internal purchasing procedures, common-sense policies around phone and email use (such as never clicking on external hyperlinks), and a no-shame, no-blame culture around reporting mistakes are all great safeguards against social engineering attacks.

Remember that scammers are great at what they do. No one is 100% safe from falling for a scam, and the less embarrassment and fear employees feel about that possibility, the likelier they are to report potential breaches right away, so you can contain the fallout.

6. Train Your Employees in Cybersecurity Best Practices (and Keep That Training Up-to-Date)

It’s easy to feel overwhelmed by ever-changing cyber threats, especially when you’re busy running your business. Luckily, cybersecurity experts are there to stay on top of these threats for you. Training is an essential expense, whether you choose to hold on-site training or subscribe to an online resource.

All of your employees should receive anti-phishing training, since it only takes one wrong click on a malicious email to compromise your entire network and cause a major breach. Employees in finance, IT and social media should receive higher-level training, since they’re routinely using the information most coveted by hackers.

Cybersecurity training is never one-and-done. You and your employees should receive regular refreshers, once a year at least. Consider making basic cybersecurity training part of your on-boarding process, too.

How to Find Expert Help

Cyber insurance policies, which cover expenses related to data breaches, also commonly offer training and other resources along with your premiums. Cyber insurance is typically quite cheap for small businesses, making it a cost-effective way to improve your cybersecurity.

If your business is too small to keep dedicated IT staff on your payroll, then you should also consider bringing on a part-time IT contractor to help you configure your software and hardware securely. Investing in expert help up front is far cheaper than paying to repair the fallout of a DIY mistake down the road.

Why Cyber Security Sustainability Is More Important Than Perfectionism

There’s no such thing as bulletproof cybersecurity. Any system, no matter how high-tech, can be hacked. That’s why good cybersecurity is about doing the best you can with the resources you have—not about overextending your business and employees in search of perfection you’ll never find.

Remember, most hackers are opportunistic thieves looking for low-hanging fruit. Anything you can do to make your systems more annoying and time-consuming to hack increases the likelihood that hackers will move on to easier prey and leave you alone.

Your business’s approach to cybersecurity doesn’t have to be state-of-the-art to be effective. Be willing to take an honest look at your business’s vulnerabilities—and be open to expert advice on how to fix them—and you’ll be well on your way to a powerful culture of cybersecurity awareness.

Share this page on Twitter Share this page on Facebook Share this page on LinkedIn

©2020, Consumer Agent Portal, LLC. All rights reserved.

III.org

Privileged Access Management in the Modern Threatscape (Centrify survey)

Verizon 2019 Data Breach Investigations Report