Cybersecurity is everyone’s responsibility. That’s right – everyone who uses an internet-connected computer, regardless of role, is part of the “human firewall” of cybersecurity. Since up to 90% of cyberattacks stem from some type of human error, we all need to accept that one mistake online could be harmful and work hard to minimize our risks.
It’s easier to take responsibility in a strong cybersecurity culture. Let’s look at what that means along with some other tips you can use right away.
Cybersecurity Culture Defined
Cybersecurity culture involves the values that determine how people think about and approach cybersecurity in your organization.
Everyone’s knowledge, beliefs, and behaviors make the difference between protection and breach. People are at the center of everything; you can either be easy prey, or you can become an effective human layer of defense.
Your organization will benefit from making cybersecurity awareness and responsibility part of your overall company culture.
Technology Use Policies
To start, make sure everyone in your organization understands that each one of them has a daily responsibility to protect company information and reduce the risk of a cyberattack. One way to do this is to create technology use policies.
Policies help ensure everyone is on the same page when it comes to safely using company-owned devices, personal devices (like personal cell phones that receive company email), and online activities.
Consider including these areas: handling confidential company information, expectations for using company email (including knowing how to spot malicious phishing attempts), allowable internet use (including public Wi-Fi), and how to report a suspected IT security incident.
Cybersecurity Awareness and Training
Since the best way to learn is through doing, simulated phishing tests are an effective way to see who has honed their awareness skills and who needs to improve. Training can include everything from online videos to in-person workshops. The goal is to engage in ongoing phishing testing and training to keep everyone sharp.
Plus, providing proof of ongoing cybersecurity awareness and training is required to remain in compliance with many cyber liability insurance policies.
You don’t need to go this alone. There are many excellent services that can make sending simulated phishing tests and providing training easy at a reasonable cost.
Practical Tips
Building a positive cybersecurity culture takes time, but here are some basic tips that everyone can use right away:
- Don’t share confidential company information in emails or on social media.
- Be careful sharing ANY company information online without guidelines. The more you share, the more information cybercriminals can gather to try and trick you with email or phone phishing attempts.
- Don’t use public Wi-Fi. Cybercriminals can easily create Wi-Fi networks that appear to be legitimate but are instead being used to intercept data. Turn off “automatically connect to Wi-Fi” on your devices to avoid connecting by mistake.
- Use a unique password for every online account (and don’t reuse them). Use a long passphrase whenever you can. Use a password manager if it’s available.
- Don’t leave your device unattended in a public place, even just to warm up your coffee.
- Always use 2FA. The extra step you take to enter a code or approve a sign-on can make the difference between a successful attack and a failure.
- Be careful with phone calls. Scammers can pretend to be from “tech support” and ask you for a password or to click a link so they can log on to your computer. Know who your IT people are and how to reach them. Never respond to someone who claims to be from IT if you don’t recognize the company or name of the person.
Emails present a huge opportunity for cybercriminals and a huge risk for the rest of us.
Cybercriminals now use AI to their advantage. AI-generated text helps attackers produce sophisticated, highly personalized emails and text messages that are more likely to deceive than ever before. This makes identifying phishing attempts even more difficult.
Here’s a refresher on how to spot and avoid potentially dangerous emails:
- In general, make the email prove to you that it’s legit – no random clicking!
- You don’t recognize the sender
- The sender’s email address is random letters and characters or a strange domain
- The “To” field is blank or a list of names you don’t recognize
- The subject line is unusual or doesn’t match the email content
- The email content includes an ask for something (buy gift cards, transfer funds, call a phone number, verify information, etc.), a short timeline, and possibly a threat of losing your email or other risk.
- There’s an attachment
- If there’s a link, hover over it with your mouse. Does it go to a different website than the name?
- Always be careful when clicking on links or opening attachments!
If an email is clearly a phishing attempt, our best advice is to just delete it.
If you’re not sure because the email is from someone you recognize, *CALL* and ask them about it. We’ve seen many organizations avoid financial loss by making a quick phone call only to learn that a request to transfer funds was fake.
If you clicked and are having second thoughts, call your IT department or IT provider right away and tell them specifically you clicked.
Overall, a positive cybersecurity culture is one of learning, not blaming. Foster a supportive environment where employees feel comfortable reporting security concerns and asking questions. Your team should be comfortable reporting a potential risk, including an errant click. The sooner you know, the sooner you can begin to mitigate the problem.
If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.