High profile data breaches and successful phishing attacks ensure cyber security remains a hot topic of discussion amongst law firms, but it surfaces at every meeting I have with prospects and clients, regardless of their sector.
And despite the best efforts of organisations of every size and complexity to secure their systems, the modern cyber-criminal knows the weakest point is typically the individuals using the system, not the system itself.
It’s too simple to leave cyber-security to the IT team, in-house or outsourced. Everyone in an organisation, from the managing director to the finance team must be trained to recognise threats and how to reduce the risks of a serious breach. For many organisations the reputational damage of a hack or theft may impact more than the monetary value of any loss.
But it’s time the focus switched to practical advice, rather than just news of more impending problems. We deliver cyber-security training to staff at a growing number of organisations as the message begins to get through about where the vulnerabilities in a system really lie.
Here are a few of the best cyber security working practices and helpful hints:
PC & Laptop Security
- Lock your PC when you leave your desk.
- Do not store private/sensitive information on your desktop or in unsecured local folders.
- If you receive an anti-virus alert, immediately report it to the helpdesk.
- Do not install any software/apps that have not been specifically authorised.
- Read any on screen alerts and understand them. Don’t just click on them to get rid of them!
- Shut down your PC at the end of the day (to ensure updates are automatically installed).
- Lock mobile devices with a password or Personal Identification Number (PIN).
- Turn off Wi-Fi and Bluetooth services when not in use.
- Learn how to create and remember strong passwords.
- Never disclose your password (even to IT Support).
- Change your password regularly.
- Look out for suspicious e-mails, e.g., address, content/wording, urgent requests, requests to follow links, unexpected attachments.
- Beware Phishing/Spear Phishing e-mails e.g., unexpected request/information with familiar tone claiming personal knowledge.
- Be aware the address could be fake, double check content/wording, urgent requests, requests to follow links, unexpected attachments.
- Ensure you have appropriate e-mail security that’s current, patched and managed.
Using Wi-Fi – Best practices
- When using public Wi-Fi ensure you log off any services you were signed into.
- Tell your device to forget the network (to prevent future automatic connection).
- Make sure you can identify the correct network.
- Avoid conducting financial or corporate transactions on unsecure public networks
Identify secure Wi-Fi connections
- Is the network name correct?
- Does it require a security code?
- Is the security code individual to you?
- Identify secure web connections, check for https:// and a padlock in the browser.
- Be aware of/look for any suspicious links.
Awareness of Social Engineering
- Make sure your social networking profiles (e.g., Facebook, Twitter, YouTube, MSN, etc.) are set to private.
- Be aware of what information you share online e.g., LinkedIn.
- Be cautious when giving out personal information on the Internet.
Using Portable Media
- Never plug an unknown USB drive into your PC/Laptop.
- Do not plug your USB powered device into a public USB charging point.
- Encrypt USB drives if possible.
This list is by no means exhaustive and only scratches the surface of the complex challenge cyber security poses for organisations of every size, from micro to mega corporations in this always-on, digital world.
Criminals will continue to develop ever more sophisticated methods to steal and it’s essential that cyber-security training changes to reflect these new approaches, but it’s of little use if we are not tasked with sharing this information with your employees.
I expect this is a topic I will cover regularly, but for now I urge every organisation to provide regular cyber-security training for every employee, regardless of their access to your network; an innocent posting on Facebook or Instagram might be all the criminals need to go spear-phishing. You have been warned.
Matt Rhodes, Commercial Services Manager, Quiss Technology