Cybersecurity Awareness Month occurs every October. Now in its 18th year, the theme for 2021 as decided by the Cybersecurity & Infrastructure Security Agency (CISA) and National Cyber Security Alliance (NCSA) is “Do Your Part. #BeCyberSmart.”
We’ve put together our own tips to help employers and employees alike make smart decisions and “be cyber smart” when it comes to their cybersecurity.
BE CYBER SMART
Keep your personally identifiable information (PII) secure.
- Create strong passwords (and don’t re-use them). Follow these tips from cybersecurity experts for assistance. Moreover, consider using a trusted password manager to keep track of your unique passwords in a secure fashion.
- Use multi-factor authentication (MFA). Having a secure password isn’t enough. When the option is available, turn on multi-factor authentication. MFA requires you to provide multiple pieces of evidence that you are who you say you are before it gives you access to a device or application. For example, you might have to enter a code that’s texted or emailed to you and provide an answer to a security question you established when you created your account.
- Protect your credit card information. Be careful where you enter your card information online and in-person. Digital wallets can be a good alternative when the option is available at a payment terminal. They use a protection feature called “tokenization”, so your actual card information is not shared with the merchant.
PHIGHT THE PHISH!
According to Verizon’s 2021 Data Breach Investigations Report, 36% of data breaches in 2020 involved phishing (an increase of 11% over the previous year). With attacks becoming more prevalent, it’s important to keep the following things in mind before trusting an unexpected email from an unknown source:
- Don’t let an email scare you. If you receive an email that threatens you with consequences for not doing something immediately, this is a HUGE red flag. This tactic is commonly used to try and get you to act without thinking.
- Check who the sender is. If the email is from an organization, the domain should match what’s on the organization’s website. If it’s from a person you know, check to make sure it’s their email and not someone claiming to be them.
- Names and logos aren’t enough. These things can be found through a simple Google search.
- Are they asking for PII? A legitimate company would not ask you to provide sensitive information (e.g., credit card information, SSNs, passwords, etc.) via email.
- An email from a trusted organization should be well-written. Fake emails often contain bad spelling and/or grammar.
- Do NOT click on an unsolicited attachment. These attachments often contain malware.
- Check links before clicking on them. Check to make sure links are spelled correctly and a different, unexpected link is not hyperlinked on something unexpected. Additionally, avoid clicking on shortened links such as Bit.ly or TinyURL as these can be used to mask a malicious link.
- Even trusted sources could be malicious. If a friend or co-worker sends you an unsolicited link or attachment, and something just doesn’t seem right about the email, give them a call to make sure they sent the email to you.
Not Sure? Then Double Check.
If you’re not 100% sure if the message you received is legitimate, take steps to verify with the sender. For example, if it’s someone you work with, give them a quick phone call or stop by their desk to chat. In the same vein, open a new tab in your browser and navigate to the company website when you receive an email regarding a company or account.
HR plays an important role in cybersecurity. With the ever-increasing push to do more things virtually, it’s important to not make cybersecurity an afterthought. Here are some things your business can do to be cyber smart year-round:
- Develop a comprehensive organizational security policy. Work with your IT team or external industry experts to create company policy covering digital and physical security rules and best practices for employees to follow.
- Routine training. Require all employees to go through cybersecurity training multiple times a year — not just when they’re onboarded. Keep them engaged by using an interactive program that includes phishing simulations and role-based training.
- Require workers to use the company’s VPN to access sensitive information. A Virtual Private Network, or VPN, establishes a secure connection between the user and the Internet. Data and traffic that travels through this connection is encrypted. This is a must-have if you have any employees working remotely!
- Lock down your emails and web browsers. Emails sent to and from your employee inboxes that contain sensitive information should be encrypted. Additionally, use spam and web filtering software to minimize the chances your employees click on a dangerous website or link.
- Keep software and devices up-to-date. Software and device updates often patch security holes.
- Back up organizational data. A backup ensures you still have what you need to get the company up and running again if your network is ever compromised.
- Perform a yearly Penetration Test. How easy would it be for a cybercriminal to breach your company’s database(s)? It’s probably easier than you think. To see for yourself, hire an external party to perform a Penetration Test (sometimes called a PenTest). This company can identify weak points in your network and systems. Then, you can get them patched up before they are exploited. Make sure to consider non-disclosure agreements before you get started with a PenTest vendor.
You may be cyber smart…but are your partners/vendors?
You might be doing everything right. But what about all of the organizations you work with? How are they protecting the data you share with them?
Benefit Resource takes our security extremely seriously. As a SOC 1 and SOC 2 Certified organization, we go above and beyond to ensure that client and participant data doesn’t fall into the wrong hands. Request a proposal to learn more.