All IT directors and managers wish that the rest of their company were as knowledgeable about security breaches and prevention best practices as they are. Too often your coworkers and even c-suite have to ask you, “Why is information security important?” As grating as that is to hear, it is also an opportunity to educate the decision-makers about data security and data loss prevention. You can only do so much on your end, like setting up two-factor authentication through active directory integration.

Non-IT personnel rarely want to sift through tech jargon to learn best practices, so we made a primer that you can send them on cybersecurity basics and tips that your end users can carry out. You can send to HR to include in their onboarding packet or disseminate it to staff yourself.

Cybersecurity Essential Concepts

Protecting company data begins with the direct access points to that data. It is the last line of defense in a way, but it is the easiest to implement across the whole organization and the hardest for the average malignant entity to crack. Password hygiene constitutes maintaining login credentials for all of your portals and data sets in a knowledgeable and thoughtful manner.

When creating a new password, avoid publicly accessible information about yourself or your company, such as the address, staff names, or your kids’ names. You want memorable passwords that come from personal keywords and are preferably phrases rather than names or even titles. Such as an idiom an old relative used to say, or a true statement about your home life. Try to avoid using the same password across multiple platforms. If you don’t have an immediately available tool for securing your login information, consider a password manager or ask your IT department about two-factor-authentication.

“Least Privilege” is foundational to good security. The concept that you should only ever give everyone in or outside of the organization the bare minimum information that they need to do their job. It may seem harmless to give a door-to-door salesperson the wi-fi password while they wait or let a big client have the run of your offices. However, it is always safer to reject these requests as a rule and ask knowledgeable personnel for anything of which you are unsure. Ultimately, caution is the watchword.

What is a Phishing Attack or Phishing Scam?

A phishing attack consists of sending fraudulent emails, texts, or calls to a mass of users in an attempt to gain confidential information and/or access to assets. Like fishing in real life, these attacks usually connect with a wide pool of targets in the hopes of catching just one or a handful of careless recipients. Usually phishing means social engineering on some level – believable correspondence to manipulate the target over time. Sometimes, however, a phishing attack will consist of a single call or email, and your response gives the hacker all that they need to for their plan to breach security.

The attacker wants you to open an attachment which is actually malware, fill out a form with key login information, or give them access to your computer through a remote session. They may pose as a support technician, a vendor you currently utilize, or even a coworker or family member. They may have the ability to “spoof” a familiar phone number, email address, or WhatsApp account. Phishing is the most common form of cyber crime, and it is vital that you learn to recognize a phishing attempt and learn how to react appropriately.

Other Types of Phishing Attacks

There are dozens of sub-types of phishing methods. General phishing usually casts a wide net in the hopes that spoofing a popular vendor for a large audience will always yield something.

A spear fishing attack consists of targeting a single person usually by posing as someone else from their organization. Like a planned heist, this is a highly specialized and focused phishing scam. It usually requires months of research and some upfront information gathering, such as a copy of the company contact directory, access to key users’ social media profiles, or seemingly innocuous calls to update company profile information on marketplace websites. “Whaling” is another form of spear phishing. The hackers target a top executive in the hopes of accessing information of the highest privilege in the company.

“Man-in-the-Middle” attacks are more technical than just sending a bogus email, but the concept is similar to a parcel carrier clandestinely reading your mail, or even replacing your mail with false documents. They have found a way to either access your email account or intercept your communication with a specific party such as a financial services application. Updating SSL certificates can help prevent this data breach since SSL/TLS communication is encrypted in transit. This is something the IT administrator can handle for the whole organization.

Email Security Best Practices to Protect Critical Documentation

As an end user, this is a lot you can do to safeguard data.

• When you receive an email, even from a familiar source, do not just read the sender’s name. Also read the sender’s email address and ensure that it fits the standard format your/their company uses. If not, consider forwarding this email to IT with a subject line informing them that it may be fraudulent. They can take next steps, such as blocking that domain in the email server or properly informing the rest of the staff.
• Avoid opening an email attachment unless you specifically requested it or have been informed separately that it was being sent to you. Treat links the same way.
• In general, you should always be seeking secondary confirmation for any attachment, link, information request, or email from a new source. This even applies to accessing a new network with a BYOD computer or phone. For example, when you visit a café on your lunch break, instead of connecting to the first wi-fi network that pops up, first ask the café staff with which network you should connect. Accuracy makes a hacker’s job harder for them.
• Keep an eye out for bogus Office 365 password reset or login credential update requests. Microsoft Office is one of the most common popular brands that hackers will pose as, but other SaaS apps may be chosen as well. This is when minding the sender’s email address comes in handy. You should similarly watch out for the link they provide in the email – without clicking on it. If the link is not the official website for that organization, be wary. Additionally, it is helpful to remember that you cannot maintain an existing or previous password in Office 365 when making a change, so opportunities to do so in this case are fraudulent.
• Keep a list of the services to which you are subscribed with work-related information or for business purposes. If you haven’t used an account in a long time and do not see yourself accessing it soon, consider closing the account. Every unnecessary login is a potential access point for hackers.

What else can an IT administrator do?

Your employees have the documentation they need to become more security conscious. There is always more that the IT department could be doing to prevent accidental document deletion, data loss, and security breaches. A document management application for your organization goes a long way to shoring up defenses. With encryption for files in transit and at rest, access permission management, and secure file sharing, you can gain control over more of your company’s technology.

About the Author:

With over ten years of experience working with computer hardware, Keenan Cobler is Computhink’s expert Technical Support Engineer. He is passionate about digital security and has a bone to pick with you about your own IT team’s cybersecurity practices.