11 things you should never do at work (or at home)
Your security and IT team knows everything about the danger of cybercrime, phishing, Business Email Compromise and malware. They know the importance of practicing good cyber hygiene. But how well do the rest of your staff know and practice the basics of safe computing? In this guide, we outline 11 essential things your complete staff should know and should be doing.
Don’t let others use your professional computer
In many environments it’s the number one sin: whether it’s hot desking or a request by a regular colleague to “just send a quick email”. Allowing another person to use your work computer, especially unsupervised. It might sound strange to some – why would you ever do that? While not to others – he sits next to me every day, he’s trustworthy. The fact is that unauthorised physical access to your computer puts both you and your organisation at risk. There’s a reason why we all have our own account passwords. That’s not only to protect the company but to protect ourselves. If someone accesses corporate assets using your credentials, how to prove it was not you?
If you think it’s unlikely that your colleagues would do something malicious, don’t forget that people can easily be persuaded to do things: either against their will or without realising what they are doing. And remember it’s also easy to be fooled into trusting people who seem like they have the right to be there. They just have not been put to the test, like that fake health inspector who infiltrated a US prison. You don’t want to be the one named in a security audit, as having been the weakest link, do you? The one that allowed penetration testers to compromise your company’s network…
Always log out when you’re not at your computer. If someone else does have a legitimate reason to use your tools, let them log in via their own account or a guest account – never yours – and supervise their use.
Don’t insert unknown USBs
Another tried-and-tested trick: the simple malicious USB device. It’s still a common trick that penetration testers and criminals use to open back doors or load malware onto a network. Your company should be using device control. If not possible, employees should execute a device control practice themselves. Any unknown removable media should either be given to IT for clearance first. Or they should be plugged into a separate air-gapped machine, running a trusted anti-malware solution.
A recent thread on Reddit (now deleted) told the story of a school that confiscated a USB device, found in a pupil’s school bag. They plugged it into a school computer to see what it contained. They found out the hard way that the USB contained malware after it infected the school’s network.
Don’t click on links or download attachments without checking them first
Phishing through links and attachments in emails is still, by far, the most common infection vector for ransomware, backdoor trojans, cryptominers and other forms of malware. Inspecting links and files before you click on them, is like washing your hands to prevent the transmission of a coronavirus. Only, the advice is not just to do it ‘frequently’, but always.
To inspect a link
Hover over the link with your mouse to see whether it leads to where you expect it to go. Copy the link and past it in your browser, rather than executing it directly in your email client. It’s a useful habit to get into.
To inspect a file
Save the file locally: make sure the file extension is what you expect it to be. Your endpoint should also be protected by a reliable security solution that can recognise and block malicious files, both on write and on execution. If opening the file results in a request to enable Macros, decline the request and contact your IT or security team.
Don’t announce absence from the office externally
If external emails result in an automated reply that you’re out of the office till next week, on maternity leave or skiing in the Himalayas till Friday, you’ve just provided some valuable intel to scammers, spammers and pen testers alike. There’s no reason to tell the world that you’re unavailable: just your colleagues and boss. Work emails should be redirected to an alternative point of contact, who can deal with enquiries in your absence.
Don’t skip 2FA or reuse passwords
For criminals, passwords are a passport to gain access to your – and your company’s – most sensitive assets. Some organisations are starting to move away from relying on passwords. The day when they won’t be the main way to authenticate a person’s identity is still far away though. Credential theft is high on every attacker’s agenda, but there are simple steps that you can take to plug this hole for the vast majority of attacks. First, enable 2FA or MFA on all accounts that support it. Short-time code generators like Google and Microsoft Authenticator should be in use wherever possible. On top of that, use a password manager to ensure that you are generating unique passwords for each account to limit the damage of a breach. Sign up for a service like Firefox’s breach notification for all your email addresses if your password manager does not include a similar feature.
Don’t overshare on social media
Equally, sharing your personal and work life on social media is a great way to give criminals the free, open source intel they need. Maybe you have a social media profile that details where you work, contains tagged photos of family, friends and colleagues, and gives away your location on a frequently-updated timeline. You are providing threat actors with all they need to spoof your identity, a regular tactic in Business Email Compromise and targeted phishing attacks.
Don’t use open public Wi-Fi hotspots
While we all need internet service when on the move, you should use your phone’s service provider and tether your laptop to its personal hotspot when not at home or at the office. Public Wi-Fi is inherently insecure because it allows anyone that uses the same network, to sniff your traffic. If, for some reason, you cannot avoid using an unprotected public Wi-Fi, ensure that you are using encrypted mail, messaging and browser tools. This way, you can limit what an attacker can learn from your networking traffic. And never, ever, conduct things like payment processing or banking, while connected to a public Wi-Fi hotspot.
Don’t mix work and play
Your work devices should be mandated by a company policy as for nothing apart from work tasks. If not – or if you’ve ignored that policy – you should immediately separate all your work and your personal computing activities and data. This is not only for your company’s protection, but for yours too. Most companies will have a ‘No Privacy’-policy for any data or activities on your work device.
Also, if your company network is breached by another device, you do not want your personal data being stolen as well. Similarly, if your company is breached as a result of you doing something non-work related on the computer, you will very likely be looking for a new job in no time and could even face legal consequences.
Don’t transfer company data to personal devices
Just as important as not conducting personal business on company-owned property is the inverse: using your personal devices to conduct company business. Never store sensitive (or, ideally, any) enterprise data on your personal device. It almost certainly lacks the same security, encryption and oversight as your workplace computer or smartphone. Your personal devices, for example, may contain insecure applications or device settings which could make your company’s data vulnerable to theft.
Don’t ignore software and OS updates
This should also be mandated by company policy. If your device isn’t managed centrally by IT, then you need to pay attention to notifications about software and operating system updates. Why is it so important to apply updates in a timely fashion? As soon as vendors release a patch, hackers and reverse engineers are on top of it, trying to figure out what the vulnerability in the previous version was and how to exploit it. Many breaches or incidents involving lateral movement through a network, are the result of exploiting older, unpatched software.
Don’t be a stranger to IT!
Last, but not least, make sure you know who to contact in the event of any suspicious or malicious behaviour on your company device. Report it immediately if you become aware of it. Criminals rarely just break into a single device and then leave. They are always interested in persistence – the ability to come back at will – and lateral movement – the ability to move through your company’s network. So, getting IT involved at the earliest opportunity could prove vital to your organisation.
You are not a trained security analyst (and nobody expects you to be), put aside the fear of ‘crying wolf’ just because you’re not sure. Your IT or security team would rather file a ‘nothing to see here’ report than be called in when the house is already on fire!
Enterprise security isn’t rocket science. The vast majority of breaches occur because one or more of the above practices have been ignored. Giving threat actors a hard day at the office doesn’t require a degree in cyber security. The awareness and execution of the basic principles will do. They should be applied whether you’re working remotely from home, in an open-plan cubicle space or in the corner office on the top floor.
Want to sleep on both ears thanks to a security team you can count on? Already applying all of the above and want to take it one step further? Here is a link you can click on! We can ensure you it’s completely safe.