Photo by Jerome Dominici from Pexels.
Whether your workforce has gone remote or your team has access to confidential client information through their personal devices, it’s important that everyone is on the same page when it comes to data security. Why? Because people are susceptible to cyber threats. Like, really susceptible. 90% susceptible. Your company can purchase the most sophisticated security software in the world, and a hacker may still infiltrate your system when an employee clicks a link in an email from his “bank.” It happens to the best of us, which is why 25% of organizations report being impacted by cryptojacking.
This article is a guide to training your team to be security savvy by creating a culture of privacy protection. Following these 3 simple steps can significantly lower your organization’s risk of security breach.
1. Report Suspicious Activity.
So there’s a firewall — great. A firewall is a tool that can block the majority of cyber-attacks. However, a firewall cannot always detect successful breaches. That is, those hacks that have smoothly infiltrated your system and are collecting/sharing your organization’s valuable information.
Did you know — most companies are unaware that they have been breached until the point the FBI contacts them?
That’s why you need a team trained to report suspicious activity. But what exactly is suspicious? Maybe someone can’t locate an online file because it’s be maliciously deleted. Maybe your cloud says a folder was shared with someone outside your organization that you don’t know. Or maybe . . . someone clicked a funny link or attachment, only to realize the significance too late, And. Nothing. Happened. Don’t be fooled — hacks don’t always mean black screens and frozen windows. Cyber-attacks include silent but deadly killers that can activate at a later date or secretly track your internal activities.
Train your team to speak up and be comfortable doing so. You don’t want the first time your told about your company’s cyberattack to come from the FBI.
2. Be a Good Steward of Device Security.
Security should be everyone’s responsibility. Not the firewall. Not the IT team. Not management. Everyone. Why? Because the majority of cyber-attacks are caused by human error — 90% of hacks, to be exact. And 20% of respondents to a Malwarebytes survey said they’ve had a breach since the covid-19 pandemic started due to a remote worker’s behavior.
How does this happen? Someone clicks that bait in an email, opens an unfamiliar attachment, fails to check the legitimacy of the sender’s email address, or leaves their devices unsecure and unattended.
Most organizations have security rules in place, but it’s important for teams to understand why those rules exist. If even one person engages in lax security behavior, the organization’s entire system could be at risk.
Here’s some simple best practices to stay safe:
A. Protect All Devices.
Don’t forget that your organization needs security protection on all devices, not just workstation desktops. 67% of Global 2000 report breaches as a result of mobile access to corporate data. If employees are accessing organizational emails and documents from a cell phone, protect those phones and make sure everyone’s using 2FA.
Employees happen to be 3x more susceptible to phishing attacks on mobile devices vs. desktops. And 85% of mobile phishing attacks occur outside of email (through messaging, social networking, games, and productivity apps).
Maybe it’s the small screens that prevent easy URL or email address verification, or maybe it’s because it’s accessed 24/7, including at 2am in the bathroom, but staying secure on a mobile device can be tricky. Teams should use a secure mobile browser and avoid clicking links to third-party websites.
Ensure your team has access to protocols and security systems for all devices.
B. Update Software.
Software updates — especially ones without cool features — are annoying. It means closing all those open tabs, restarting the device at least 5 times, and reenter 108 passwords for your favorite tools and platforms. But encourage your team to do it anyway. Software updates are primarily designed to fix known security vulnerabilities. When your team has a habit of waiting a number of days prior to installing updates, your organization is left open to attack.
C. Don’t Connect to Public Networks.
When connecting to wi-fi, both on work devices and personal devices (that can access organizational emails or documents), the best option is to link the device to a secure network that no one else is using. Cyber threats can enter devices through a shared network/wi-fi connection.
This comes into play in different ways. For instance, when traveling, don’t connect to the hotel wi-fi. Instead use a personal hot spot.
Further, it’s best to be on a network apart from others who may be less security-savvy. For instance, while at home, it means connecting to a network apart from the family or guests. If a spouse or child accidentally activates malware on their own device, it can reach other devices through the shared network. Oftentimes, there’s a 2.5G or 5G network option to choose from — keep work devices on one and family devices on the other.
D. Use a VPN.
A VPN is a tool whose purpose is to hide the true location of a device. An organization may want to hide the location of its workers’ devices so that hackers can’t easily locate them for attacks. For instance, a hacker can search Google to find out the office locations of RVL. If the hacker sees that a device is located at an RVL location by way of the device’s IP address, then the hacker can target an attack to that specific device in an attempt to steal valuable information. Since RVL uses a VPN, hackers are unable to pinpoint which devices are RVL devices. RVL devices become virtually anonymous.
Your team should always activate its VPN before engaging in work. Additionally, the brand name of the VPN should be kept a secret. If a hacker figures out what VPN you are using, they will know to search for flaws in that specific system.
E. Implement 2FA.
2FA (two factor-authentication) is a security tool that requires a login be protected by two keys. Common keys include: a password, a separate device login, a code sent to email or alternate device, or a physical access key that can be plugged into a device.
The purpose of 2FA is to ensure that the person logging in is the owner of that account and not some individual that guessed the account password correctly or found a password sticky note tucked away in a drawer.
2FA should be turned on for every login in which it is available, such as email, security, cloud, and payment systems platforms.
F. Turn on the Firewall.
All devices should be protected by a firewall to defend against outside attacks. This includes mobile devices. Keep it updated. See Point 2(A) above. Don’t tell anyone what security software you’re using. See Point 2(C).
Don’t turn off the firewall to access unverified websites/downloads. Oftentimes, a notification may request a team member to temporarily turn off the firewall — teach your team to be wary and think about who s/he is allowing into her/his device before accepting such a request.
G. Always Check the Sender’s Address.
Don’t send bank account information to an Egyptian prince requesting financial help.
In general, never assume the sender of a link or attachment is real. Emails can appear to be from legitimate companies, even using their standard colors and logos. Red flags are: unfamiliar sender addresses, time-sensitives deals/requests, and too-good-to-be-true offers. If someone feels the need to click a link or open an attachment, but is unsure of the sender, simply call the organization.
Of note: Email addresses can be spoofed or masked to appear legitimate. If the wording or images used appears off — trust but verify by contacting the sender through separate means. DO NOT email the sender to ask if their email was legitimate, as their account may have been hacked.
H. Don’t Click Links or Open Attachments.
Beware the click-bait. If the opportunity looks too good to be true, it often is. Any countdown meter contained within the message or on a webpage should serve as a red flag. If a link or attachment is sent via email, check the sender’s email address. See Point 2(F). And NEVER trust an unfamiliar site.
I. Protect Access to Devices.
Hackers don’t always access devices through some elusive virtual backdoor. They can merely get ahold of a physical device. Don’t let them.
If a team member loses their cellphone in a public place, even for a short time, assume it has been hacked and change all passwords.
If a device is left alone in the office, such as on someone’s desk, it should be placed in sleep mode and the laptop lid should be closed — even for a bathroom break.
If a team member is staying in a public place and must leave his/her device unattended (e.g., hotel room), all accounts should be logged out of before the device is left behind.
J. Use a Password Manager.
A strong password is one that is not used for any other account and cannot easily be guessed. Ex. Krd!JD23?Df –- nonsense, right? It really can’t be recalled easily. Especially if it’s being changed every two weeks/months. So, use a password manager. Pro Tip: Some password managers have a feature to automatically create a crazy nonsensical password and then save it in its secure database.
If a team member is allowed to use the same password for everything, the organization becomes very vulnerable to hacks — only one account must be breached for a hacker to have access to all accounts.
K. Ask a Friend.
When to comes to detecting suspicious activity, sometimes a second pair of eyes is best. Start a policy of asking co-workers to glance at a suspicious email or ask if they tampered with an important file that looks fishy.
Sometimes, this means calling them — rather than sending an email or instant message — especially if the co-worker is the one behind the suspicious activity, just to ensure their account wasn’t hacked. For instance, while working remotely, a co-worker asked me through instant message for the business credit card number. I called them to verify the request.
3. Engage the Team.
Changing values, attitudes and beliefs is the key to creating cybersecure behaviors. Leaders of an organization should truly engage their teams to create a culture of cyber security. This can be fun too — offering prizes for pop quizzes or adding privacy awareness as a component to bonus calculation can further the organization’s privacy goals.
Lastly, each organization’s security strategy should be uniquely curated to its business practices. Leadership should not merely copy another organization. Be mindful of your needs and the individuals who have access to valuable information within the organization, and work to protect it.
 Source: TechRadar.com “90% of Data Breaches Caused by Human Error” by Anthony Spadafora, May 19, 2019.
 Source: RedLock.
 Source: Washington Post “U.S. Notified 3,000 Companies in 2013 About Cyberattacks” by Ellen Nakashima, March 24, 2014.
 Source: TechRadar.com “90% of Data Breaches Caused by Human Error” by Anthony Spadafora, May 19, 2019.
 Source: Malwarebytes Presentation to Cybersecurity at MIT Sloan (CAMS) on October 24, 2020.
 Source: Ponemon Institute.
 Source: IBM.
 Source: Aaron Cockerill Dec. 2, 2020 Lookout: Phishing Phones, and the New Social Engineering Threat. MIT Technology Review. CyberSecure 2020.
Rockridge Venture Law® is a certified B Corp law firm embracing the mantra of technology lawyers for good. Rockridge® services include corporate, intellectual property, litigation, M&A, privacy, technology, and venture capital law. Rockridge has been recognized as a B Corp Best for the World and Real Leaders Top 150 Impact Company, and has been featured by Conscious Company Magazine, Forbes, and other top media focused on industry leaders in impact and innovation.
The Rockridge team has worked with Grammy winners, Nobel Prize winners, and world champion athletes to create and monetize distinctive intellectual property assets. Rockridge clients include founders, investors, and multinationals scaling disruptive technologies and iconic brands. Rockridge is headquartered in Tennessee, with satellite offices in Durham, New Haven, and New York.
We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
See case studies on how we’ve helped transformative companies at Rockridge Case Studies.