If the pandemic did anything positive for the world over the past couple of years, it served as a reminder for good hygiene practices. When it comes to cyber security, good cyber hygiene is a critical part of keeping your organization’s data safe. However, this goes well beyond keeping viruses at bay. Digital hygiene includes a variety of security measures, and every employee has a part to play. Unfortunately, recent data revealed that a lack of employee awareness and training is the next big threat to organizations’ information security. Let’s see if we can work together to change that.
Why is cyber hygiene so important?
Think about it: Maintaining good personal hygiene is something you are taught as a kid. “Make sure you brush your teeth before bed.” “Did you wash your hands?” “Clean your room!” And those habits tend to stay with you for a lifetime. Good habits can prevent poor health, in many cases extend your life, and frankly, make you more desirable to be around. In the same way, good cyber hygiene habits can help your organization avoid security issues which could damage both your financial health and your good reputation.
The 3 principles of good cyber health
Let’s use the analogy of teeth cleaning when thinking about the standards for good cyber hygiene. For good dental health you 1) use products that fit your needs (toothbrush, toothpaste); 2) perform the tasks correctly (brush for 3 minutes, don’t forget the back!) and 3) establish a routine (brush 2-3 times a day, floss, visit the dentist regularly). So, let’s break down those 3 principles (having the appropriate products and tools, using them accurately, and using them regularly) in terms of the cyber health for your organization.
Use the right tools
Ever tried to brush your teeth with your finger instead of a toothbrush? Yeah, forgetting to pack your toothbrush on a trip is the best way to remind yourself that you really need the right tool to do the job! The same is true when it comes to cyber hygiene. Without the right products and tools, information you think is safe could, in fact, be very much at risk. They should include:
- reputable antivirus and malware software
- a network firewall
- strong password protection
These tools should help you feel more confident about the security of your network and your staff’s computers, laptops, smartphones, and other devices. But they alone are not enough.
Make sure you’re doing it right
Even with a toothbrush, if you are only going to do a quick swipe across your teeth you aren’t going to get rid of all the bad stuff. You need to take your time. And additional tools may be needed; perhaps some dental floss and mouthwash are also in order. Well, the same goes for data on your staff’s computers and elsewhere throughout your network: These can demand special attention from time to time to maintain the organization’s security. For example, regularly emptying your computer’s trash can or recycle bin does not completely remove sensitive data. This requires the use of data-wiping software. And sure, everyone knows they have to use passwords. But if they aren’t putting in the effort to create complex, unique passwords every time and store them in a safe place, your data is at risk.
Establish a routine…and stick with it!
Just like any good habit you want to maintain, you have to put in some forethought and planning: Allow 10 minutes each evening to thoroughly clean my teeth; put a reminder in my phone to make a dentist appointment every six months. In the same vein, you should you mark your calendar to perform cyber hygiene tasks on a regularly scheduled basis. From scanning for viruses, to updating operating systems, to reminding staff to change passwords, all of these will become second nature to both you and your staff when performed regularly.
Cyber hygiene tips to share with your staff
As I mentioned in the beginning, data reveals that employees are the frightening common denominator when it comes to cyber security risk. So, let’s go over some critical things your staff need to be made aware of and remain vigilant about.
1. Install and update antivirus software
This is a vital element of overall cyber hygiene. You know as an organization that you need antivirus and anti-malware to scan all files, quarantine anything suspicious and if necessary, erase malicious files. But you need to make sure your staff also know to keep this software updated on their personal devices, particularly as these are now playing a bigger role than ever in today’s hybrid work environments.
2. Beware of phishing emails
Emails are a central carrier of viruses and phishing attacks. While you should have security software installed to scan files that are attached to email, staff also need to know what to look out for when opening messages. They should be trained to verify the source of any email before clicking links, especially if the message appears to come from a financial institution, the government, or a vendor. They should learn to look for signs of phishing such as typos, poor grammar, or a URL with a domain that doesn’t match the organization’s actual website. When in doubt, teach them to not respond or click a link without first going to the company’s website or making a phone call to them to verify. This post gives some visual examples of what they should look for.
3. Protect information sent over the phone
Telephone scams have been around since long before the internet was invented. The omnipresence of mobile phones, along with the ability to text makes it easier than ever for the bad guys. You need to train your employees on the signs of a phone scam, even if the number calling or texting them appears to be legitimate. (Back in late 2020 I wrote about a perfect example of a convincing “smishing” – or phishing via SMS – text I received, allegedly from USPS.) As with email, if there is any doubt, they should not respond or click any links, and instead call the (alleged) company’s published number and speak with an official representative. Especially if the person at the other end is asking for personal or financial information.
4. Learn about Pa$sw0rd security
Staff should be taught the correct ways to set up, use and store passwords. Passwords should be long and complex, and not be reused from account to account. They should be encouraged to use password managers and reminded not to share or write down their passwords. (Also consider this great hack I recently discovered, that makes the already secure password managers even more so.) You should consider requiring frequent password changes. If you haven’t already done so, write up strict password policies and make sure your staff is aware of – and adheres to – them.
5. Pay attention to network security
When working remotely, teach staff to avoid public networks when possible. If not, remind them to never send sensitive information when logged into these networks.
6. Hide screens
They should keep screens containing sensitive information shielded from prying eyes. This includes when they’re away from the device as well as when they are using it. For example, they should shut down their computers when leaving for the day, or log out temporarily even when briefly leaving their desks. (Obviously, these concerns will vary based on the size of your organization.)
7. Access only safe websites
While antivirus software typically displays a warning screen for sites that seem insecure, you should still teach employees to look for the lock icon or the “https” in their browser’s search bar when trying to access a website. And of course, they should never log into any website to transmit sensitive or financial information without first seeing these indications of security.
8. Install Only Trusted Software
In the same vein, staff should only install software on their personal devices that comes from trusted sites.
9. Keep apps updated
While your IT team may take care of updating apps and programs on company devices, users should make sure they’re using the latest version of software on their personal devices. Let them know that updates often contain critical patches that ensure security by fixing recently discovered flaws.
10. Back up your data
Employees should be reminded that their data should be frequently backed up, preferably to more than one source. (Good examples: an external hard drive and the cloud.) If your budget allows, consider issuing external hard drives to all staff for this purpose.
Training is the name of the cyber hygiene game
While simply sharing these tips with your staff is a great first step to improving cyber hygiene, thorough – and regular – cyber security training is key. Risks are constantly evolving, and as with personal hygiene, developing good habits takes practice. In this new era of hybrid work and the incorporation of personal devices into work life, it is more important than ever that employees get routine training. And there’s no time like right now to get started!