The Guide to Creating a Culture of Security

Your business data has never been more valuable – or vulnerable. The current and constantly changing cyber landscape has caused many businesses to assess their protection strategies, starting with their users. Every day, new security threats are created, putting your critical business data at risk.

The key to creating a lasting culture of security in your business begins with making intentional choices and developing healthy IT security habits.

Your users are your first line of defense to protect against looming threats, but do they know what to look for? Are they equipped with the knowledge to make conscious and intentional decisions to prevent threats?

All it takes is ONE.

ONE email. ONE click. ONE mistake.

And just like that, your entire system, network and business could fall victim to ransomware – giving cybercriminals access to your sensitive data.

Company Security: Perception vs. Reality

There's perception, and then there's reality – which can be a hard pill to swallow for some. Approximately 80% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyber-attacks. There's a common theme among businesses: anyone outside of IT thinks that security is an IT problem, whereas IT sees it as an "everyone else" problem. The reality is that IT security is everyone's responsibility.

• Perception: Employees are creating strong passwords.
• Reality: 45% of U.S. adults use weak passwords of 8 or fewer characters.

• Perception: Company security guidelines are being followed.
• Reality: 70% of U.S. workers think it’s up to IT to protect their accounts.

• Perception: Employees are only using software installed by IT.
• Reality: 63.5% of U.S. workers have accounts that IT doesn’t know about.

• Perception: My users wouldn’t click on malicious emails or documents.
• Reality: 85% of data breaches involve phishing, human error or stolen credentials.

• Perception: Our password policy will keep us protected.
• Reality: Only 34% of businesses say they strictly enforce their password policy.

91% of employees understand the risk of reusing passwords, yet 66% admit to doing it anyway.

Each person in your organization plays a critical and equal role in protecting your organization from threats. In order for security procedures to be effective, they require total participation from your users, but that's likely not the case.

It's up to you to provide the right tools, guidance and management, so let’s explore some key areas to help you get started.

Password protection

Reusing passwords – we've all done it at some point, and while it may seem harmless to tack on some extra numbers and characters at the end of a password, it opens a door for hackers to crack multiple accounts at once. Understanding what makes a password insecure is the first step toward creating better password hygiene.

80% of data breaches are linked to passwords – making them your single greatest and most easily targeted vulnerability. Thankfully, it's entirely possible to prevent password compromise. It starts with proper password hygiene and practices.

Here are a few best password practices to implement:

• Require special characters and numbers.
• Mix capital and lowercase letters.
• Require mandatory password changes across all user accounts regularly.
• Use a unique password for each account.
• Use a password manager to help your users manage passwords, answers to security questions and account information and increase security.
• Don't share your login credentials with anyone, or worse – write them on a sticky note and leave it on your desk.

The best defense against password cracking is length.

Following these password guidelines should mean an easier path to better security by making passwords longer, more robust and user-friendly.?

Let’s be real: your business probably cannot afford to have any lapses in productivity and it can be easy to overlook IT security as a possible interruption. In the event of a breach or malware, how long can your business afford to be down? Odds are, not that long without significant financial and operational loss. With this increased need for productivity, employees are looking for ways to work faster and get things done. They might download apps and tools not approved and regulated by your company. Without permissions and regulated password behaviors, it makes it nearly impossible for IT teams to maintain oversight until it's too late.

With remote and hybrid work models still at the forefront of organizations today, we continue to see relaxed and, in some cases, outdated security protocols. Regularly assessing your security strategy will help align your IT with your evolving business needs.

BYOD Policy

BYOD can create potential security risks. Online courses for mobile device workers can help educate employees on how to avoid risks without costly security protocols. When accessing company emails or other business applications, mobile devices should always be password-protected, encrypted, or have biometric authentication in case they're ever lost or stolen.

Understanding the safe use of personal devices should be required for all employees and mandated as a part of new employee onboarding, including having them sign a mobile security policy.

Phishing Awareness

Phishing attacks prey on human nature by offering an incentive - like free stuff, a business opportunity, and then creating a sense of urgency. Use these examples of common phishing emails and tips for identifying attempted attacks in your awareness training program.

• Always filter your spam emails.
• Don't unsubscribe from emails – block them.
• Don't trust unsolicited emails.
• If you receive an urgent email from a company executive, don't respond! Call them directly.
• Check the source – is that email really from FedEx?
• Never send money or credit card information to people through email requests.
• Hover over links before clicking to see where they lead.
• Beware of attachments on unsolicited emails. If something looks off with a known contact's attachment, verify it with the sender (via phone, text, or another medium) before opening.
• Phishing attacks can occur through email, SMS, business collaboration platforms, etc.

Malware

Cybercriminals use malware to steal data or infiltrate an organization's systems with ransomware or wiper malware. It's delivered in various ways, including phishing emails, drive-by downloads, and malicious removable media.

Important points include:

• Be suspicious of files in emails and websites.
• Never install unauthorized software – check with your IT team if you need something.
• Never attempt to disable your antivirus or firewall.
• If you suspect you have a malware infection, contact the IT/security team immediately.

Removable Media

USBs, CDs, and other removable media can be used to allow malware, steal data, install ransomware, or destroy the computer they are on. They can run automatically with Autorun, so be sure it's disabled. Tell employees never to connect removable media to any computer unless the IT team has scanned it first.

Safe Internet Practices

Here are areas to cover regarding safe internet practices that will help prevent attackers from entering your network:

• Recognizing suspicious or spoofed domains (such as yahooo.com instead of yahoo.com)
• How to identify whether a connection is secure: HTTP vs. HTTPS.
• The risks of downloading software, images, fonts and more from the internet.
• The dangers of entering credentials on websites - recognizing fake and phishing pages.
• Discuss watering hole attacks, drive-by downloads, and other threats from browsing suspicious sites.
• Free software can be infected with malware. Check with IT for trusted sources before installing.

Keeping Security Top of Mind

Regardless of your organization’s size, staying up-to-date on the latest threats and keeping security top of mind is the best way to stay ahead of cybercriminals. It all starts with your end users—they are either your first line of defense or your greatest vulnerability. Although human error can’t be eliminated, it CAN be reduced by arming your users with the right information, training, and awareness needed to identify and prevent cyber attacks.

If you’re helping to manage your organization’s IT security, you should never have to do it alone – you need the support of everyone in your company behind you.

We didn’t cover everything here, but you can read more in our eBook: The Ultimate Guide to Creating a Culture of Security.