In a recent survey of UK workers, over half the employees who participated across 1,000 organizations admitted that they open suspicious email attachments. More than 80% also said they open strange attachments if the sender appears to be someone they know, and “one in five said the business they work for has no policy on how to handle email attachments, or they have not been made aware of it.”
Organizations that operate without a clear cut security awareness plan (for emails, file transfers, or even internet use) open themselves up to huge security risks—risks that are easily preventable with a bit of training and forethought but sadly, often overlooked.
If this sounds like your workplace, never fear. Even without a policy to follow, there are ways you can implement security practices in your current role and workspace to protect yourself, your information, and your company’s data from prying eyes and malicious scams.
Here are 10 easy ways to promote security in your role, without needing permission to do so.
1. Never download unapproved software
That free screen capture application or photo editing software may seem tempting, but don’t download it without approval from your IT department. Free software is rife with malicious code, which can introduce malware, ransomware, and other threats to your computer and company network.
If you aren’t sure whether the software is safe to download, contact IT. And when you’re on your personal computer, check trusted online resources, such as forums or software review websites, for information on the application you want. Most times, if it’s not safe, you can find an alternative application that is.
2. Send files (in and out of network) securely
If you need to send a file to someone in your network or out on the remote network, always make sure to send it securely. Use a managed file transfer solution to protect sensitive company data. And instead of using FTP, email, or other unsecured methods to transfer files, use a secure protocol like SFTP or Open PGP to encrypt the information.
3. Don’t send sensitive information in emails or online messages
Email and online messaging are incredibly fast and convenient methods of sending information to someone, but they’re not secure. A single spear phishing email or instant message containing a bad link can give hackers access to the information on your computer. And if you send sensitive information through messages and your workspace is compromised, you’re doing the work for them. Hackers won’t have to go far to retrieve your private data.
It’s important to also remember that emails and online messages can be forwarded with just a click of the mouse or intercepted during transmission. Once that username/password combination, credit card number, or completed W-2 form is out of your hands, renegade employees can forward the information just about anywhere. So instead of transmitting data across the network, cut out the middleman. Identify situations where you can deliver the information directly, whether by a phone call or in person. Can’t do that? Send the data via an encrypted folder-to-folder transfer or through a secure form with a link and password.
4. Follow security best practices for application passwords
Changing your password every 60-180 days is a standard industry procedure. Even if it gets annoying, following this simple practice can limit the access hackers might already have (for those who come in and quietly monitor business processes without making any sudden moves) by cutting them off after a specific amount of time.
However, when employees do change their passwords, they often rift off their original password, like adding an extra number or switching out the capital letters. In fact, 19% of work professionals use a weak password to protect their data, according to a recent report. And unfortunately, people also use the same password across multiple websites, which is a huge security risk. If hackers access one account, they can access them all.
With all the data breaches happening today, it’s important that you create strong passwords, use a different one for each account, and change them every so often, at work and at home. Your personal data is just as important as company data—and remember, anyone can have their information stolen.
5. Clarify sender intentions if you receive a questionable email or attachment
In general, it’s a good practice to approach your inbox with a critical eye. Be wary of every attachment you don’t recognize or didn’t anticipate, even from senders you trust, and follow up in person, over the phone, or in a separate email thread if you aren’t sure about the contents.
This may add extra time to your day, but it’s worth your thought and attention. Phishing and spear phishing emails are one of the top ways hackers gain access to company accounts. To learn more about phishing attacks, check out our recent blog post: 7 Ways to Protect against Corporate Spear Phishing.
6. Install computer updates whenever they’re available
Depending on what operating system you use, updates and security patches can be frequently available. Microsoft, for example, ships new updates for Windows on the second Tuesday of every month (you can find a list here). Apple’s updates come a little more sporadically but are still shipped often enough to help maintain OS security.
Installing these updates and patches is an important part of keeping your system up-to-date with the latest security concerns and improvements. Some companies automate this process, installing updates in the background so you don’t have to. If you’re not sure whether this applies to you, check with your IT department.
7. Avoid using external flash drives to transfer information
Despite how common it is to use USB flash drives (it seems they’re handed out like candy these days), they’re not secure. These tiny thumb drives can be loaded with malware or reformatted with tampered firmware (the USBs permanent software). So unless you know where the USB has been before it was delivered into your hands, it’s best not to use it.
But why not just wipe it clean, you might ask? “You can give [the USB] to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’ [but] the cleaning process doesn’t even touch the files [in the firmware],” said security researcher Karsten Nohl in an interview with Wired. Once the firmware has been affected, it’s difficult, if not impossible, for most people to find the corruption and remove it.
Then there’s the obvious danger with USB drives: not being able to control where they go, or who has access to the files, once it leaves your hands. Even if it’s tucked away in your desk, can you be sure no one will take it when you’re not looking, or that extra copies won’t be made of the file while someone else uses it? No. Better safe than sorry.
8. Lock your computer whenever you step away from your desk
This is a seriously simple step you can take to mitigate risk in your workspace. Anytime you leave your desk, even to grab a cup of coffee or hit the bathroom, you should lock your computer. This may not prevent external hackers from stealing sensitive company data, but it can deter renegade employees or “visiting guests” from snooping through your information while you’re away.
If you’re worried you’ll forget in the rush of an ever-busy workday, most computers allow you to set a default lock whenever your session has been inactive for x amount of minutes. Ask your IT department how to configure this, then set it to an amount of time that creates a balance between security and usability. Ten to fifteen minutes is usually adequate (unless otherwise already set by your organization).
9. Ensure your connection is secure if doing work from home
If you’re able to work from home, make sure you set up a secure connection that meets your company’s standards before accessing any sensitive information, including email and user accounts. Avoid working on devices that haven’t been approved by the IT department, such as personal phones or laptops that might be compromised with malware or questionable software. And always use protected WiFi, as open WiFi connections (especially ones in public places) are vulnerable to packet sniffer programs that can read and steal transmitted data.
10. Make security a topic for discussion in your role, department, and organization
Last, but certainly not least, be an advocate for security in your organization. If you recognize the need to protect your data and your company’s data, others will start to recognize it too. Ask leadership or the IT department if they plan to create a security awareness program or document their policies for internal reference. Share what you learn with your coworkers, or bring them into the conversation by asking them how they handle security in their own role. And apply what you do at work in your personal life, because your data is important too.
For further information on how to protect your data at work, check out our blog post on email security: Top Email Security Challenges and How to Solve Them.