October is National Cyber Security Awareness Month (NCSAM) and we want to share with you the Top 10 Things Every Employee Should Know About Network Security. Check out the list below and don't forget to contact us if you have questions.
1. Never divulge your password – to anyone. Nobody else needs to know your password, even system administrators. If they need to log in as you to recreate a problem they can change your password temporarily and you can reset it later. Administrators should never ask users for their passwords or keep lists of end user passwords. This circumvents potential for an audit trail should it be needed down the line.
2. Lock your screen when you are away from your PC. When you step away from your desk make sure someone cannot sit at your desk and access the corporate network. That person can do something as silly as crafting a nasty email to the company president or something as devious as stealing confidential information. Locking your workstation only takes a second. On Windows 10, the keyboard shortcut is the Windows key and the letter "L"
3. Scrutinize the email addresses of senders. “Spear phishing” email scams are real. These are directed attempts to dupe specific individuals into executing a transaction based on familiarities. The email appears to be from someone you know or claims to know you through a common acquaintance. These can be very convincing, but there are often clues that it is a phishing scam. Does the email come from a domain that matches the sender’s organization? Is the domain spelled correctly?
4. Do not open emails from people you do not know. We all get emails from people we don’t know every day so this one is a bit difficult. However, if you set up your email client to preview the first couple of lines of the email you can usually get a sense as to whether it is a legitimate communication.
5. Be careful clicking on hyperlinks embedded in emails. Another trap in the “spear phishing” scam is to trick the user into clicking on a link in an email that will take them to a malicious website that will install viruses or malware. Or perhaps present itself as a legitimate website and ask the user to enter personal information. The link in the email may say Bank of America; however, when you hover your mouse over the link it may show www (dot) reallybadsite (dot) com.
6. Use a PIN to access your smartphone or tablet. Smartphones and tablets are very portable and convenient. They also contain a lot of sensitive data. Many smartphone apps store your credentials so you don’t have to enter them each time you launch their app. Make sure that convenience is not provided to others that may get a hold of your phone.
7. Never leave your laptop, smartphone, or tablet unattended in a public space. This best practice is pretty obvious but leaving devices unattended does occur. Encourage your employees to keep track of their work devices. You may also consider best practices for storing laptops when not in use.
8. Report the loss of a laptop, smartphone, or tablet immediately. Depending on the industry and the type of data stored on the device there may be serious consequences to the organization associated with the loss or theft of a device. There are reporting guidelines for such instances. Also, mobile devices should be encrypted to ensure the data can’t be retrieved by non-authorized persons. Likewise, IT departments should have the ability to remotely wipe personal devices that are connected to the corporate network. The sooner the risk is mitigated the better.
9. Be wary of public wifi. Typically, public wifi is exactly that — public. Information sent over the airwaves can be seen by others. Avoid sending confidential information (credit card info, corporate email, Social Security numbers, etc...) over public wifi unless you know you have a secure, encrypted, link.
10. Report any security incident (email scam, suspicious behavior, etc...) to your IT administrator immediately. Even if you think you have made a mistake and violated one of the rules above, report it to your administrator rather than ignore it or hope it goes away. The entire organization should be aware of any active scams.