Table of Contents
The human factor in cybersecurity should not be underestimated. A 2020 study from Stanford University found that 9 in 10 (88%) breaches were caused by human error. Still, many cybersecurity programs focus too heavily on raising awareness and not actually teaching employees how to translate that awareness into actionable skills and behaviors.
Combining awareness with improved cybersecurity behavior practices will build strong habits across the workforce and significantly improve the organization’s cyber resilience.
This article will outline essential cybersecurity behavior practices employees should follow to maintain a secure work environment.
1. Create Strong Passwords and Turn on MFA
The first line of defense for any account or system is a strong password. Unfortunately, weak passwords and credentials are the most common way threat actors gain unauthorized access to systems. They often exploit easily guessable passwords or use techniques like brute force attacks to crack them.
This highlights the critical need for employees to create strong, unique passwords for all work-related accounts and to implement additional security measures such as Multi-Factor Authentication (MFA). Here are some general guidelines for employees when creating work-related passwords:
- Password length should be at least 12 characters
- Don’t re-use the same password across different accounts
- Incorporate special characters ($, #, @, etc.)
- Avoid using common words and phrases
- Include numbers and a combination of upper and lower-case letters
- For example, use “JQx68&#ztrKY”, instead of “Rainbow123
Business leaders should consider investing in a password manager to improve password security across their organizations. This will make it significantly easier for employees to create and manage strong passwords across multiple accounts.
2. Detect and Report Phishing Emails
Phishing is one of the most common attack vectors for hackers. According to Verizon’s 2024 Data Breach Report, phishing accounted for 22% of data breaches globally, only behind compromised credentials.
The most common phishing tactic is email phishing, where attackers send deceptive emails that appear to come from trusted sources. These emails often contain malicious links or attachments designed to trick recipients into providing sensitive information, such as login credentials, financial details, or personal data.
Here are some pointers for detecting and responding to a phishing attack:
- Check the Sender’s Email Address: Look closely at the sender’s email address for any discrepancies or unusual domains.
- Look for Generic Greetings: Be cautious of emails that use generic greetings like “Dear Customer” instead of your actual name.
- Beware of Urgent Requests: Phishing emails often create a sense of urgency, pressing you to act quickly without thinking.
- Inspect Links Carefully: Hover over links to see the actual URL before clicking. Malicious links often lead to fraudulent websites.
- Avoid Unsolicited Attachments: Do not open attachments from unknown or unexpected sources.
Let’s look at an example:
You receive an email from what appears to be your bank stating that there has been suspicious activity on your account and urging you to click a link to verify your information. The email looks legitimate, with the bank’s logo and branding, but upon closer inspection, the sender’s email address is slightly off, such as “customerservice@bank-secure.com” instead of the official domain. The link, when hovered over, directs to a completely different website. Additionally, the email contains spelling mistakes and generic greetings like “Dear Valued Customer.”
When you encounter suspicious emails like these, it’s important to notify your IT or security teams immediately. It’s very likely that other employees have also been targeted.
3. Browse the Internet Safely
The internet provides employees with a wealth of information that can help them be more efficient and productive. However, it also exposes your organization to risks like malware and data breaches. If you’re serious about implementing cybersecurity best practices, avoid visiting suspicious websites and only download files from trusted sources.
Since attackers commonly abuse plugin vulnerabilities, always keep your browser software and plugins up to date.
4. Use Mobile Devices Securely
Let’s face it; mobile devices have become so ingrained in our personal and professional lives, that it’s impossible to simply ban them. Organizations have several options regarding policies for mobile use:
- Bring Your Own Device (BYOD): Employees use their personal devices for work purposes.
- Choose Your Own Device (CYOD): Employees select a device from a list of approved options, which the company then supports.
- Company-Owned, Business Only (COBO): The company provides mobile devices that employees can only use during work hours or for business purposes.
- Company-Owned, Personally Enabled (COPE): The company provides and pays for the device, allowing employees to use it for both work and personal activities.
There are pros and cons with each approach, and the best solution will vary depending on the organization. Many tech companies provide COPE, using it as an incentive to attract and retain talent. Regardless of the chosen policy, here are some essential cybersecurity best practices for using mobile devices securely:
- Enable encryption to prevent unauthorized access to sensitive data
- Only download apps from trusted sources
- Avoid using public Wi-Fi
- Regularly update your apps and operating system
The best way to ensure employees comply with these requirements is by using a mobile device management (MDM) solution. These solutions allow the IT department to enforce security policies, manage device settings, and monitor compliance. MDM can also remotely wipe data from lost or stolen devices, ensuring that sensitive information remains protected.
5. Ensure Workplace Premises are Secure
With so much of our focus shifting to the digital aspect of cybersecurity, it’s important to protect our physical premises as well. This includes the IT infrastructure, such as workstations, servers, and other valuable assets. Even the most robust digital security protocols can be compromised if physical security is neglected.
Here are the main pointers regarding physical security:
- Always lock your computer when stepping away from your workstation, even for a short period. This prevents unauthorized individuals from accessing your files and accounts.
- Shred any documents containing sensitive information before disposing of them. This prevents potential data breaches from discarded papers that could be retrieved from the trash.
- When not in use, store laptops, tablets, and other devices in locked cabinets or drawers to protect them from theft or unauthorized access.
When hosting visitors at the company premises, they should have limited access to restricted areas. Depending on the size of your location, you could also implement a sign-in process where each visitor is recorded and provided with a badge to showcase their legitimacy.
6. Promptly Report Incidents
Most cybersecurity professionals will tell you that it’s not a question of if an incident will happen but when it happens. In such a scenario, timing is crucial. The quicker you react to a potential breach, the better you can mitigate its impact and prevent further damage.
Employees play a critical role in minimizing the impact of security incidents, as they’re usually the first ones to detect them. As soon as suspicious activity is detected, it should be escalated to the appropriate team (typically the IT department) for further investigation.
Every organization should have an established set of protocols, roles, and responsibilities that employees can follow in the event of an incident.
7. Use AI assistants Securely
AI assistants like ChatGPT are great tools for boosting productivity and allowing employees to automate menial tasks. However, they should be used responsibly, as several cases of data leakage and information misuse have already surfaced in the media.
The biggest no-go regarding AI use is feeding the tool sensitive information, particularly involving customer data. When providing input, alter the sensitive information to protect privacy and confidentiality.
Before sharing any AI-generated content publicly, carefully review and ensure that it does not contain any sensitive or confidential information.
Importance of Cybersecurity Training and Collective Vigilance
Employees can be the strongest or weakest link in your organization’s cybersecurity efforts. By investing in regular cybersecurity training, employees will start developing more secure habits and cybersecurity behavior practices.
Remember, effective cybersecurity begins with each individual’s actions. Stay vigilant and proactive to safeguard against evolving cyber threats, and encourage your colleagues to do the same. A secure work environment is a collective effort that starts with you.
Article Contributors
Elevate Your Organization’s Cybersecurity Culture with Behavior-Focused Security Awareness Training
Transform your workforce into cyber defense champions with our Behavior-Focused Security Awareness Courses. Our innovative approach integrates gamification to embed positive cybersecurity behaviors in every employee.