The biggest threat to a company’s data security is its employees. In a 2018 information security report, cybersecurity expert Imran Ahmad explained that “no matter how much an organization spends on technology, the single most important point of vulnerability in an organization remains its employees.”
Your employees interact with your company’s files, data, and intellectual property on a daily basis. This means they have ample opportunities to wreak havoc on your digital security, either through ignorance or malice. Regardless of intent, an employee-caused data breach can destroy your company’s finances and reputation.
The best way to protect your business files and other data is to train employees on proper cybersecurity practices from day one. Everyone in your company should know the basics of IT security, from how to safely transfer business files to identifying and reporting digital security threats.
What to include in cybersecurity onboarding
Train employees to identify threats
Everyone has gaps in their knowledge, so don’t assume your new employees know how to spot a cybersecurity threat. Focus on training all new employees to identify and properly handle some of the most common ones.
Spear phishing emails
Hackers have many tricks up their sleeves, but they have one particular favorite. Spear phishing accounts for 91% of all targeted attacks.
Spear phishing is a tactic that involves sending a fraudulent email that appears to be from a trusted source. The email may contain an attachment with malware or a virus, or it may include a request for confidential information.
If you received an email that appeared to be from your boss saying she needed a confidential file emailed to her right away, would you do it? People tend to obey authority figures, and many employees wouldn’t think twice about following those instructions.
An employee with proper cybersecurity training would know that emailing files is never a safe practice and would instead share the link from inside a secure file-sharing platform such as Onehub. This way, the shared file would go to the real person and not the spoofed email address.
Other ways to identify a spear phishing email:
- Check the sender’s email address. It’s easy for hackers to spoof the “from” name, but it’s more difficult to spoof the actual email address. Instead, they may create a fake address that resembles the true one but isn’t exact.
- If the hacker has spoofed the email address and the sender name, evaluate the syntax of the email. Is this how the sender normally writes? If, for example, your boss always addresses you as “Mark” in emails and this one says “Marcus,” that should set off alarm bells.
- Scan attachments for viruses and confirm links are accurate by hovering over them (without clicking!) to see the true URLs.
- Make a phone call. If you’re suspicious of the request, but everything appears to be in order, call the person the email is supposed to be from. If that’s not an option, contact your IT department. Never comply with a suspicious email request without confirmation, no matter how dire the person makes the situation sound. (In fact, urgency is another sign that the email may be fraudulent.)
Spear phishing is the most popular type of attack because it’s so effective. Even a trained and diligent employee can fall victim to a spear-phishing scheme. However, it’s much more work to fool an employee that’s well-versed in the basics of data protection. Training employees can dramatically lower your risk of a spear-phishing incident.
The pandemic has massively shaken up the world of work, and more employees than ever are using public Wi-Fi as they work remotely. Unfortunately, this leaves your company’s data completely vulnerable to attack.
The most common public Wi-Fi attack is called “man in the middle.” The employee thinks they’re directly connected to the public Wi-Fi, but they’re actually connected to a hacker. The hacker can see confidential information such as passwords and can even inject malicious data to infect the employee’s device.
If employees must connect to free public Wi-Fi, find a trustworthy virtual private network (VPN) provider for your company. A VPN essentially turns a public network private by establishing a secure and encrypted connection. This means employees can work from wherever they need without worrying about exposing sensitive company information.
Create a policy for personal devices
With so many people working remotely now, it’s vital to have onboarding guidance for how employees are allowed to use personal devices for work purposes.
Keep device updated
Emphasize the importance of employees keeping their devices updated. Workers generally know to do this on their work-issued laptops, but they often forget that it’s necessary on their personal devices as well.
Updates can be time consuming and frustrating, but they’re never issued without good cause. They often contain important patches to address recently discovered security issues. Employees who continually delay updates put their devices and your company’s data at risk.
Password protect devices and never leave them unattended
It’s difficult to believe, but 52% of people don’t password-protect their cell phones. If employees are using their personal mobile devices for work purposes, they absolutely must lock them with a password.
It’s also important to remind employees that they should never leave their phones, tablets, or laptops unattended in public places. If they’re working from a coffee shop and need to use the restroom, they need to pack up everything and take it with them. It feels like a huge inconvenience, but it’s much better than having the device stolen or compromised.
Emphasize the importance of strong passwords
If you think creating strong passwords is common sense these days, allow us to introduce you to some of 2020’s top passwords: 123456, password, and 111111. The time it takes to hack passwords like these is counted in milliseconds.
Passwords are one of the most common authentication methods for accounts. We use them so often that they’ve begun to feel like they’re no big deal, but they are crucial for data protection. We have an entire article dedicated to password best practices that you can use to supplement your cybersecurity onboarding. Onehub also allows you to enforce complex passwords for that extra peace of mind.
Use company-provided software
Many people have a strong affinity for the software they use at home or used in a previous job. While it’s understandable to want to stick to what you know, it’s important that new employees know they can only use company-provided cloud storage platforms, file-sharing apps, and other types of business software.
Companies vet the security practices of the third-party providers they’ve chosen. For example, Onehub’s cloud storage and file sharing software is protected by bank-level encryption, offers granular roles and permissions to fine-tune data access, enforces strong passwords, and offers two-factor authentication. Employers can’t verify the security protocols of every employee’s preferred software. This creates unnecessary risk to your business files and other data.
In addition to wanting to stick with what they know, employees may find alternate software solutions because the ones your company provides don’t meet all of their needs. You can better understand your staff’s technology needs by asking for their opinions and feedback.
Your company can choose to find individual providers for each type of service employees want (e.g., collaboration tools, messaging, file sharing), or you can choose a more robust option that offers all of these features within one secure platform.
Don’t stop at onboarding
Making cybersecurity a focus of your employee onboarding is the best way to ensure all of your employees have the same foundational knowledge about data protection. However, our technological landscape is dynamic. New digital threats are always emerging, as are new cybersecurity practices. To reach total data protection, information security training must become a regular event for all employees.
Onehub offers a diverse platform that includes cloud storage, secure file sharing, collaboration tools, and messaging — all with bank-level encryption and cybersecurity best practices. Protect your business data today with a free 14-day trial.