Since it’s my first opportunity to write to you during October, Happy National Cybersecurity Awareness Month! I’ll be talking this week about security practices that you should bring to your workplace, whether you work from home, work from the office, or own your own business. Last week, Sterling talked about cybersecurity for personal technology, and all those principles hold true for business security. However, cybersecurity for work might pose a few different challenges than security at home. Let’s talk about those differences.
Phishing attempts will hit your work email just as much as, if not more often than, your personal accounts. The difference is that you’re no longer just dealing with your own information—because you are a member of a bigger organization, you’re dealing with financial information, sensitive data, and coworkers’ personal information. Also, it might be commonplace for you to get emails concerning financials or personal information. That’s where you must be extremely cautious and purposeful about looking for signs of phishing.
Does your employer have anti-phishing software set up on your work account? (I know we deploy it for our clients.) If you have access to that kind of technology, use it. It won’t be a cure-all, and you still must be vigilant about protecting your tech, but it is a huge step in the right direction. Our anti-phishing software, for example, gives alerts when someone outside your organization sends an email or when an email looks suspicious. It even pulls malicious emails out of an inbox so the intended recipient never sees the bad emails. If you’re in a position that allows you to implement tooling like this, I urge you to partner with an MSP and get it done. It will help you, whether it merely gives you peace of mind or saves your company from a massive financial loss.
The basics of password security that Sterling discussed last week remain the same—create strong passwords and save them in a safe place.
However, there are some work-specific password practices that warrant mentioning. First, do not share passwords. If your employer asks you and a coworker to share login information, whether to save money or for “efficiency,” don’t do it. Spending the money is worth your security, and it’s not very efficient at all. Say you and Sally share a login to your company’s scheduling software. Then let’s say Sally gets fired because she never shows up to work.
Sally is probably pretty mad about that. Your company has two options: go through the hassle of changing your login to make sure Sally can’t hijack your work operations (note: not efficient) or keep your login the same and run the risk that Sally uses that login as a terminated employee (note: security risk). Imagine Sally does access the software with your shared login and does some damage to your company’s operations. Now, in all of the logs that your company keeps, there’s no distinction between you and Sally.
Who’s to say whether it was Sally or you who did all of that damage? Don’t allow yourself to be in such a situation. If you’re an employer, don’t put your employees in that situation. And, as an employer, you don’t want to be playing a guessing game as to who logged in with that shared account if things go wrong. Second, especially in the workplace, do not write passwords on sticky notes and leave them at your computer. Let’s pretend that Sally from our first example was fired but didn’t share passwords (good start). She’s still pretty angry, and she has to get creative about accessing your company’s technology if she wants to do the company harm. If your company has good security, her options are either to learn how to become a super-effective hacker or to use the password that’s plastered to the front of your computer and access your account.
I’m willing to bet Sally will take the path of least resistance (since she didn’t even show up to work very often), and then your account will be the one in question, and it’ll be difficult to prove it wasn’t you. Yes, my example is fictitious, but I promise we’ve seen this kind of malicious behavior in the workplace. If you haven’t already experienced something like this, it could happen in the future, and you’ll want to have taken every precaution.
Email and password security are two of the big areas that we educate staff about. There are other security issues in the workplace, but they differ between organizations and type of work. Apart from email and password security, know your organization’s technology guidelines, pay attention to their security practices, and follow their rules for use. And, of course, if your company is in need of a technology partner, call us. We’re here to educate and support you and your coworkers. It’s what we do.