5 Cybersecurity Tips for Responsible Corporate Citizens
It’s National Cybersecurity Awareness Month, which is a great time to review some cybersecurity tips to help you and your organization protect against cyberattacks. Below are some basic tips that address common issues that can help you avoid very serious impacts to you personally, your organization, and even your customers.
- Pay close attention to your cybersecurity training.
Unfortunately, when it comes to corporate training, we tend to quickly race through the videos, content, and quizzes to remove it from our “to-do” lists and ensure that we do not appear on the lists sent to upper management.
Instead, pay attention. It only takes a few minutes, and that training is specifically designed to make you think about concepts and tactics that may not be top of mind.
The cybersecurity threat landscape is constantly changing, and security training is a good way to stay connected to those changes. Organizations that invest in this training typically use specialized training partners and the content is updated regularly to include current-day threats.
- Trust but verify.
The majority of all cyberattacks rely on social engineering for successful execution. According to Verizon’s 2020 Data Breach Investigations Report, social engineering attacks are delivered by email 96% of the time with phishing emails—the goal of which is to get users to install malware—accounting for the majority of them. However, social engineering is more than just phishing attacks. Social engineering is the manipulation of people to perform actions or provide information that allow attackers to gain access to restricted systems or physical areas. This can include in-person interaction, like tail-gating, voice interaction or perhaps even written letters to support pretexting and baiting scams.
Attackers invest significant energy into making you believe that social engineering attempts are real. They research an organization for months, leveraging information like organizational charts and current news events to create compelling scenarios to get you to believe that their emails, phone calls, texts, and written correspondence are legitimate.
The basic rule of thumb is, if you do not know someone—meaning you have not had any interaction with them, and have no way to reference their behavior identity—and they are asking you to click on a link, install a piece of software, or provide information, then you should verify that the request is legitimate. The individual making the request should understand and not be threatened by your need to verify. If they are, that’s a sign of concern.
- Validate your security-related decisions.
If you have a decision to make that is somewhat questionable—for example, sharing information with a colleague to complete a task for a customer under a tight timeline where you may be uncertain if that colleague is authorized to access that information—make sure you follow the proper decision channels to clear that action. Even though you and your colleague may work for the same organization, the customer may have specific requirements that must be met for individuals to access their information, and your colleague may not meet those requirements. It’ll keep you from repercussions by your organization in case something negative occurs as a result of the decision. Plus, following the practices and policies that help drive those decisions will enable the best possible outcome, while significantly mitigating the chances for a negative occurrence.
Consider seeking out a cybersecurity professional in your organization to validate your understanding of security policy and practices. This isn’t a replacement for following the formal rule or practice for decision making, but more of a peer check to help understand which direction you should take. For example, if you receive an email and you question its legitimacy, a cybersecurity expert can quickly look at that email and help you determine if it has mal intent. Or with the previous example about information sharing, the cyber expert can provide guidance as to whether sharing that information would pose a risk and if you should seek formal approval.
As a basic rule of thumb, if you are not aware of a specific agreement or rule that allows an action, then you should validate that action; do not make assumptions. In this case, it is much better to be overly cautious. And you will find that customers tend to appreciate this behavior as well.
- Don’t pursue workarounds.
Workarounds, while in general a good practice for overcoming impediments, are a terrible practice when it comes to cybersecurity. Security controls, such as administrative rules that prohibit the sharing of system access credentials, or technical controls like endpoint virus protection that scan real-time activity on your computer workstation, protect against attacks that can compromise your organization’s systems. When a trusted resource, such as an employee with access to these systems, works around any of these controls, it creates a weakness in the organization’s protection model that could be leveraged by an attacker. As an example, sharing a user credential with a colleague instead of requiring that colleague to obtain their own credentials creates a situation where those credentials no longer establish a context of non-repudiation. If those credentials are used to access a system, it is not possible to ensure that the individual gaining access is authorized. And disabling your workstation endpoint protection, such as a real-time malware detection agent, may allow a malicious program to run on your workstation undetected, potentially collecting important information or attacking other parts of your organization’s environment.
- Know the rules.
You should always practice “RTM” (Read The Manual) when it comes to security policies. This doesn’t only protect your organization, but it can also protect you. These rules ensure that everyone who is part of the organization’s eco-system behaves similarly and appropriately, which is important especially when the single biggest risk to an enterprise’s security posture is the individual. Knowing these rules can also protect you from personal sanctions regarding decision-making especially in highly regulated industries. The last thing anyone wants is to be held personally liable for decisions made while working for an employer.
So, make sure you are very familiar with the rules. In case something is not clear, dial that cybersecurity friend that you made after reading these tips!
Cybersecurity isn’t always about the bits and bytes of technology. In fact, the most common attack method has nothing to do with technology at all. However, by making sure you pay close attention to cybersecurity training, verify all calls to action from others for information, validate important security-related decisions, never work around security controls, and know your company’s policies, you should be well on your way for preventing the next big cybersecurity event.
Drew Frazier is a Sr. Business Development Director for Security at Logicalis, responsible for security advisory, consulting and managed security offerings as well as assisting with the overall growth of our security business.