Cultivating a Culture of Security Awareness

By Eric Aslaksen April 18, 2023

Cybersecurity starts with you.

In today’s threat landscape, cybersecurity is everybody’s responsibility. Each employee plays a critical role in supporting a security-aware culture, even if they aren’t directly interacting with clients. All it takes is one click on the wrong link or access granted to one bad apple for the flood gates to open.

Educating your team on security best practices, as well as the importance of them, is crucial. Establishing a security-aware company culture is one further step organizations can take past traditional security measures.

Here are ten best practices that can help keep your business and your clients more secure.

1. Properly manage your passwords.

The average user has about 90 online accounts, but they typically only use 10 to 15 passwords across these platforms. Repetitive use of passwords makes the account far more likely of a breach, which can translate far beyond the data within the single user’s account. Create unique passwords for each account and use a password manager. Never write them down or share them.

2. Remove local admin rights from your daily user account.

Working on a computer with local administrator rights means that the user has full control over the system, including the ability to install software, make system-level changes and access sensitive data. While this level of control can be convenient, it also presents multiple security risks as malicious software will have the same level of access. Microsoft found that 85% of critical vulnerabilities can be mitigated by removing admin rights. This same report found that users who run as local admin are 2.7 times more likely to experience malware infections compared to users that run with standard rights.

3. Enable multi-factor authentication.

Use multi-factor authentication for all applications that support it. It gives users a direct alert if their account is actively being tampered with and provides a sure line of defense from anywhere in the world. The extra step of grabbing your phone to authenticate your computer (or vice versa) may seem like a hassle, but the chaos of a cybersecurity breach would be far, far worse. This function goes far past your work accounts and can now be utilized on many social media platforms and personal accounts as well.

4. Beware of phishing swindlers.

They’re real and active. Be wary of any communications that ask for personal information or urge you to click on links. Always verify the email’s authenticity before you click. The easiest ways to assess an email is to consider the tone and context, sender information, email content and check all links and attachments. It’s also important to be on the look out for grammatical errors or typos.

5. Update software regularly.

Keep operating systems and applications current with the latest version to make sure you’re protected against vulnerabilities. This goes for both professional and personal accounts. By depriving your software of the latest bug fixes and security measures added with each update, there is significantly more room for risk of exposure. Some updates are designed around specific vulnerabilities that hackers have detected, so updating software in a timely manner is crucial.

6. Download with caution.

Only accept software and apps from trusted sources. Mobile malware has become especially more prominent over the years, gaining access to devices through the installation of an app or similar software. Once access is granted, bad actors have access to work email accounts, collaboration apps, banking accounts, investment accounts, etc. All it takes is one impulsive download to put yourself, your team and your client base in a world of trouble.

7. Handle data securely.

Securely store or shred physical documents containing sensitive information. With many of us working from home or remote locations, this may not seem as much of a concern. In reality, though, the inconsistency of who is in the office on certain days, as well as new faces not known to the greater team, can put your physical data at serious risk. Remember to always use the tips, tricks and tools you learn in your company’s data protection training.

8. If you see something, say something.

Immediately report any suspicious activity, including phishing attempts or unusual network activity, to the IT department. Even if it’s a false alarm, your team (and your clients depending on you) would always rather be safe than sorry. This can also help serve as a learning opportunity for the greater team to show examples of what new phishing attempts may look like and how to stay vigilant against them.

9. Follow need-to-know guidelines.

Practice the principle of least privilege, granting only necessary access to sensitive data and systems. This may seem like common sense, but in the age of information-overload, it’s common that users have access to far more than they need to complete their job description. By eliminating unnecessary access, risk is reduced passively, but significantly.

10. Get schooled on security every three months.

With security threats and trends changing so rapidly, it’s best to have regular refreshers on best practices and new warning signs to look out for. Companies should aim to hold mandatory security training and awareness programs quarterly, at least, to maintain their security-aware culture.

By collectively prioritizing security, your organization will be able to maintain stronger trust with your customer base, stakeholders and greater team. Employing these ten best practices is a helpful way to get there, but each organization may have additional or different needs to establish and maintain a culture of security awareness. ivision can help strengthen your cybersecurity posture even more through our vast security capabilities and offerings . Contact us to get started today!