Computer Security Day 2021: 10 Tips to Protect Your Employees’ Computers and Laptops from Security Threats

When addressing cybersecurity threats, insider threats have come to the forefront and are one of the leading causes of breaches. However, an insider threat does not mean the insider has malicious intent. Much of the time the threat is the unwitting user making a mistake, such as acting on a phishing email, which in turn leads to a breach. According to the Insider Data Breach Survey 2021, 94% of organizations experienced an insider data breach last year, and 84% have suffered a breach directly from human error. Insider threats go beyond falling for phishing attacks. The 2019 IBM X-Force Threats Intelligence Index lists misconfigured systems, servers, and cloud environments as one of the two most common ways that inadvertent insiders leave organizations open to attack. You cannot eliminate human error, but by providing clear cybersecurity guidelines and regular employee training, the frequency and severity of incidents can be reduced.

The first step in reducing the role of human error in cybersecurity incidents is to set up a cybersecurity policy and to provide education for employees to teach the do's and don'ts of cybersecurity. Here is a list of ten points to include in your policy to help you get started.

1. Emphasize the Importance of Cybersecurity

Start off by explaining why cybersecurity is important and what the potential risks are. Stolen customer or employee data can severely affect the individuals involved, as well as jeopardize the company. It is essential that employees can quickly find where to report a security incident. Do not rely upon a user to remember which internal site to search for the contact information; be sure it is in an intuitive location. Perhaps replace the password written on the sticky note with the information required to report an incident!

2. Teach Effective Password Management

Passwords can make or break a company's cybersecurity system. Include guidelines on password requirements. NIST Special Publication 800-63 Revision 3 contains significant changes to suggested password guidelines. Emphasize to employees that they must not use the same passwords on different sites. Walk the talk. If employees are expected to remember multiple passwords, supply the tools required to make it less painful. A password manager is of significant value. Multi-factor authentication decreases the impact of a compromised password, even if it is the master password for the password manager.

3. Teach Employees How to Identify Scams and Adopt Best Practices

Educate employees about various kinds of phishing emails and scams, and how to spot something fishy. If employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they must check with the sender first before opening attachments or clicking on links. It is best to verify with the sender via phone or in-person. When email accounts are hijacked, it will be the attacker replying to an inquiry about the validity of the information contained in the email. Whenever possible, go to the company website instead of clicking on a link in an email. For example, if an email from LinkedIn has a link in it, type in www.linkedin.com and log into your account to view the message.

Further, providing general cybersecurity knowledge on best-practices for protecting files and devices can help strengthen an organization’s defenses. OPSWAT Academy offers free courses on these best practices and is available to anyone who wishes to learn more about OPSWAT-specific technologies.

4. Apply Updates and Patches

Modern operating systems, anti-malware programs, web browsers, and other applications regularly update themselves, but not all programs do. When employees install unapproved software, the IT department may be unaware of unpatched vulnerable applications on their assets. Verifying that operating systems and applications are at current patch and version levels is the responsibility of the IT department. A failure to ensure the status of the endpoints and servers falls in the realm of the unintentional insider threats posed by system misconfiguration, etc. Regular vulnerability scanning, and system auditing must be performed.

5. Protect PII

Attackers are often after confidential data, such as credit card data, customer names, email addresses, and social security numbers. When sending this information outside of the organization, it is important that employees understand they cannot just send the information through email. A secure file transfer system must be used that encrypts the information and only allows the authorized recipient to access it. Even more secure, technology like OPSWAT’s DLP can help prevent potential data breaches and regulatory compliance violations by detecting and blocking sensitive and confidential data in files and emails, including credit card numbers and social security numbers.

6. Lock Computers and Devices

When employees leave their desks, they must lock their screens or log out to prevent any unauthorized access. Employees are responsible for locking their computers; however, the IT department should configure inactivity timeouts as a failsafe. Laptops must also be physically locked when not in use.

7. Secure Portable Media

Lost or stolen mobile phones pose a significant threat to the owner and their contacts. The use of screen locks for these devices is essential. Storage, such as external MicroSD cards and hard drives in laptops must be encrypted. When bringing in portable media such as USB drives and DVDs, it is important to scan these devices for malware before accessing resources such as work computers, and the network. OPSWAT’s MetaDefender Kiosk offers an easy solution for verifying the security of portable media.

8. Report Lost or Stolen Devices

Advise employees that stolen devices can be an entry point for attackers to gain access to confidential data and that employees must immediately report lost or stolen devices. Often the IT department can remotely wipe devices, so early discovery can make all the difference.

9. Take an Active Role

Explain that employees must use common sense and take an active role in security. If they see suspicious activity, they must report it to their IT administrator. If employees become aware of an error, even after it has happened, reporting it to IT means actions can still be taken to mitigate damage. Cybersecurity is a matter that concerns everyone in the company, and each employee needs to take an active role in contributing to the company's security. If an employee fears losing their job for reporting an error, they are unlikely to do so. Make sure that employees can be comfortable reporting incidents.

10. Apply Privacy Settings

Inform employees that it is highly recommended to apply maximum privacy settings on their social media accounts such as Facebook, and Twitter. Ask them to make sure that only their contacts can see their personal information such as birth date, location, etc. Limiting the amount of personal information that is available online will reduce the effectiveness of spear phishing attacks. Be especially vigilant about noticing anything even slightly suspicious coming from a LinkedIn contact. A compromised LinkedIn contact’s account can allow for some of the most sophisticated social engineering attacks.

New hire orientation should include cybersecurity policy documentation and instruction. Provide regular cybersecurity training to ensure that employees understand and remember security policies. A fun way to make sure that employees understand the policy is to have a quiz that will test their actions in example situations.

In addition to informing and training employees, companies need to ensure that a system is in place for monitoring and managing computers & devices, that anti-malware multiscanning is used to ensure safety of servers, email attachments, web traffic and portable media, and that employees can transfer confidential files securely. Read more about further measures that companies can take to ensure secure access in-office and at-home.

To learn more about how OPSWAT can help protect your critical infrastructure, schedule a meeting with one of our cybersecurity experts.

Inscrivez-vous pour les mises à jour du blog
Obtenez des informations et des idées auprès des leaders de la prévention avancée des menaces.