Great Cyber Hygiene Starts with a Culture of Security Awareness

istock 1302577339

With October fast approaching, we are reminded by Cybersecurity Awareness Month that cybersecurity affects everyone and is everyone’s responsibility. This is why organizations are focusing more and more on implementing cybersecurity awareness training to improve cyber hygiene and behaviors across their entire workforce. Having the right cybersecurity solutions is critical, but if an organization’s workforce doesn’t utilize the security tools in place or doesn’t know what to avoid in their day-to-day activities, they’re putting themselves at risk and, ultimately, their organizations at risk of being breached. Every person at an organization—regardless of their role—must be on top of their game to defend the enterprise against threat actors.

Basic Cyber Hygiene Practices for All Employees

All employees must understand and follow good security practices. There are several basic cyber hygiene steps all employees should take that contribute to a more robust security posture for the organization, such as creating strong passwords, patching software, and learning about the signs of popular attack methods, such as phishing and malware.

  • Strong passwords: Empowering employees to create strong passwords is basic protocol. Offer personnel guidelines for implementing unique passwords across their accounts that are easy for them to remember but difficult for others to guess. For example, suggest using a mnemonic device, such as the first letter of every word in a sentence they know or from a quote in a favorite movie or song, and then add some special characters and capitalization. Better yet, offer them a password manager so that they can generate distinct, long, and complex passwords. Password managers make it easier to use the best passwords possible, as they only need to memorize a single password to access their password vault.
  • Multi-Factor Authentication: Beyond offering password creation guidance or encouraging employees to use a password manager, consider implementing other measures like Multi-Factor Authentication(MFA). A second step to verify a user's identity ensures that a cybercriminal can't access that individual's account even if a password is compromised. Adopting Single Sign-On (SSO) is another way to safeguard employees and the organization's data. Having employees use only one set of credentials gives threat actors fewer opportunities to compromise accounts.
  • Update software regularly: At the same time, vulnerable software and operating systems on employee devices invite hackers to take sensitive data. Software patches and updates help us to stay ahead of the evolving threat landscape. Whenever possible, configure software updates to run automatically on employees’ devices. This ensures the latest fixes for bugs and performance issues get pushed to laptops and mobile devices as soon as the patches are available, not whenever the employee decides to make the updates.

Unsurprisingly, social engineering attacks are one of the most common ways bad actors make their way into an organization’s network. Educating employees on how to spot social engineering tactics is the best defense against this threat. Remind employees that when communicating online, never trust anyone whose identity you can't confirm. Don't click on anything that seems unusual or suspicious, even if the sender makes it seem urgent. Check the badges of individuals trying to tailgate you into your place of business. And lastly, if they receive an odd request from their manager or coworker—like a request to purchase gift cards—always confirm that the request is legitimate by calling the supposed sender before taking action.

In addition to social engineering, make employees aware of other common ways that hackers attempt to steal information. For example, most employees might be surprised that there’s likely malware in the form of fake banner ads or pop-ups that are lurking on the websites they regularly browse. Help them understand that when visiting various websites, they must be careful where they click. Offers for free games or music—or anything similar that seems too good to be true—can hide dangerous malware that infects the victim’s device once a banner or pop-up ad is clicked, often without them ever knowing.

Ongoing Cybersecurity Education Programs

As the threat landscape grows, it’s more important than ever to make cybersecurity awareness an integrated and continuous element of an organization’s work culture. Cybersecurity awareness starts with the individual, and every employee is responsible for securing the organization's information and assets.

The best cyber awareness training programs are turnkey offerings that include an intuitive administrative interface that makes it easy for you to build campaigns, monitor employee progress, and report on results. Employees should be able to access learning modules with short videos that reinforce the concepts covered in each lesson, with quizzes or remedial exercises included after each session. For example, Fortinet’s Security and Training Awareness service is a SaaS-based offering that delivers timely and current awareness training on today’s cybersecurity threats. It helps IT, security, and compliance leaders build a cyber-aware culture where employees recognize and avoid falling victim to cyberattacks.

While the course content you choose might vary depending on your organization and industry, your employees should know how to recognize and manage threats associated with phishing attacks, ransomware, social engineering, social media use, passwords and authentication, physical security, and more.

Cybersecurity is Everyone’s Job

Cybersecurity is everyone's job, and organizations need training and education programs that address many different audiences. To close the cyber skills gap, current and future cybersecurity professionals, as well as employees need to know what their role is on their company's security posture. When security teams and employees work together to develop and maintain strong cybersecurity practices, they're better positioned to "win" against the always-changing threat landscape.

Find out more about how Fortinet's Training Advancement Agenda (TAA) and Training Institute programs—including the NSE Certification programAcademic Partner program, and Education Outreach program—are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.




Copyright © 2022 IDG Communications, Inc.