Imagine having an important secret hidden behind a password. How safe is it? Well, it depends on the strength of the password.
Now, imagine giving this password to five people; how safe is it? You don’t know, right?
This is the dilemma that most entrepreneurs face when bringing in new people. Here’s the cybersecurity etiquette that these employees would follow in an ideal world to minimize these risks/fears.
Ensure employees understand fraud risks, such as chargeback fraud, and how to use detection tools effectively
Whether or not you have access to some of these high-end fraud detection tools is a decision on an executive level. However, it’s an employee’s job to use them and use them the right way.
The way these fraud detection tools work is fairly simple – they track user behavior patterns on the platform and analyze everything from their device (if they logged in this way before) to their on-site behavior. While this may not sound particularly reliable, combining modern AI-powered computing capabilities with a huge user sample to analyze the results is incredible.
Employees must learn about how problematic fraud is
Also, while these tools work passively and automatically, the employee must understand the subject. This is especially the case regarding topics sensitive to the brand’s reputation. For instance, if you don’t understand what is chargeback fraud (also referred to as friendly fraud), you won’t understand why you can’t just go out with the allegation, even when the suspicion is justified.
No one expects that there’ll never be an account takeover attempt, but as long as it’s discovered in time, this shouldn’t be that big of a problem. This is why discovery time is one of the most important KPIs.
It’s also worth mentioning that these tools are not cheap, which is why you, as an employee, should at least respect the fact that your employer has provided them.
It’s time to tighten up your password policy
Some platforms have rules about passwords. They ask you to enter a password and won’t allow you to proceed if your password is shorter than eight characters and doesn’t have at least one capital letter, one number, and one symbol. In other words, this is the platform trying to protect yourself from laziness or (even worse) disinterest in your cybersecurity.
However, when making a business profile, this is not your problem; it’s your employer’s problem.
The weakest passwords are those that are easy to figure out. For instance, passwords with personal relevance (your kid’s birthday, mother’s maiden name, pet’s name, etc.) are too easy to guess. Passwords like “Password1”, a logical sequence “123456,” or a keyboard sequence “qwerty” are also incredibly weak.
Don’t rely on the rules. Just because a platform allows you to pick a weak password doesn’t mean you should do it.
If you worry about not being able to memorize all these unique/randomized passwords, you can always try to use a password manager. This will also make it easy to change your passwords every 60-90 days without causing too much of a problem.
Phishing is a big threat; employees must learn about the signs to watch out for
Phishing is a special type of cyberattack where clicking on the wrong link may cause a massive security breach, data loss, or infestation. The way it works is simple – you get an email from a source that looks authentic, and upon clicking it, it takes you to a fake site that looks authentic. Sometimes, it’s a site that looks like a platform you’ve visited and used so many times before.
Recent statistics suggest that about 83% of all companies experience some sort of phishing attack yearly. The situation is getting worse by the minute since there’s about a 345% increase in unique phishing sites between 2020 and 2021 alone. In other words, it’s something that every company (and every employee who works long enough) will encounter.
Many employers spend hours upon hours on lessons on how to spot phishing. The problem is the attitude of many employees who see this as just a part of their mandatory training. This means that they “endure” through the lesson, even learning a thing or two for the test, but don’t apply it in practice.
Ignoring all this training and effort by your employer is not just reckless; it’s also wasteful and disrespectful.
Email etiquette is a huge part of cybersecurity etiquette
How an employee handles emails, in most cases, determines their overall efficiency in cybersecurity. We’ve already covered the first step in a much more responsible email behavior in the part about phishing. The bottom line is – be more cautious about links and attachments you get, especially if they’re unsolicited or from unknown sources.
Think twice before you click on a link or open an attachment
Sometimes, even hovering your mouse over the cursor may save you. This way, you’ll preview the URL, and some scammers don’t even go through the effort of shortening the URL before sending it. In some scenarios, this will help you figure out that the anchor doesn’t match the description.
Attention to detail is paramount
Check for spelling and grammar in the URL. Sometimes, the letter is deliberately off because it’s not the same site, yet it will be easy to trick someone who’s not paying attention.
Sometimes one security measure simply isn’t enough
Lastly, the integrity of the email account makes all the difference. You want MFA (multi-factor authentication), a strong password, and to avoid logging in from unknown devices and public networks.
Being mindful while on social media or simply leaving things around your work desk
Using personal information as a work-related password is both dangerous and incredibly reckless. If you want to use a weak password for your email and Facebook account, that’s your right (it’s on you). However, you must respect your employer’s data more than that. We’ve already addressed this matter, but it’s just one of how your social media profile may put your employer in a problematic scenario.
People use social media to post photos from work, but what if your coworker’s monitor is inside the frame? What if, with just a slight zoom, the file that they’re working on is legible? What if they have a table with confidential information displayed at that moment?
If you have to write down a password on paper, don’t leave it lying around. Someone could come by your desk (even someone from outside of the company and take a glance at that piece of paper). With this simple action, you’ve put everyone at risk.
Physical security, in general, is quite important, and it’s not just the business owner’s responsibility. The employees should look after the data that are entrusted to them. For instance, one of the most convincing arguments for digitalization is that 7.5% of physical documents get lost. Now, the term “get lost” is an euphemism. Someone lost all of these files, and most of the time, this is caused by negligence. Speaking of negligence…
Policies are in place for a reason, please respect them
Most of the time, it’s the negligence and not the lack of security policies that causes the problem.
To give you an analogy, just think about the construction site – everyone knows they’re supposed to wear a hard hat for safety, yet some people still don’t. Here, it’s not about the lack of awareness; everyone knows why they must wear a hard hat and the consequences of something falling on top of their head from the scaffold. It’s just that people are reckless in their overconfidence. It’s an employer’s job to enforce these rules (and incur penalties).
This is especially important when it comes to the BYOD policy. For convenience (and performance), some employers allow their staff to bring their own devices to work. This is a security risk that only a massive investment in education and strong policy enforcement can fix.
That’s right, enforcement, not just policy!
The reason why this is such a big problem is the fact that some employers are so obsessed with staff turnover that they believe that they can placate their staff into staying. It doesn’t work like that. Other factors affect staff turnover, and being “too soft” will not make them stay. It will just make them slack and further compromise your security.
Even without aggressive enforcement, an employee should respect these policies.
The way you handle data matters
The seriousness with which you approach the situation should be proportionate to the importance of the data you’re handling. You need to understand different levels of data classification and figure out your own organization’s classification policy and data security processes.
Next, you need to minimize data collection. No matter how counterintuitive this sounds, you can lose all the data you have. So, keeping only the most necessary data makes the worst-case scenario a bit less horrible.
Most importantly, you should rely on tested methods like data encryption. Sensitive data should be encrypted in storage and transit, which shouldn’t be too hard to accomplish if you follow all the policies.
Lastly, sometimes, data exists in both digital and physical formats. Sometimes, physical format can endanger your cybersecurity. In other words, shredding physical data can be a method of cybersecurity.
One weak link is enough to compromise an entire chain
Everyone needs to pick up their end of the couch. The only way for your company’s security to remain tight is to ensure there are no weak spots. Despite the best efforts from the management, sometimes you just need to trust your team and hope they abide by this cybersecurity etiquette, or consider partnering with a managed service provider such as Milnsbridge to strengthen your cybersecurity measures.