As Cybersecurity Awareness month continues on, many around the industry are reviewing many of the best practices that have helped safeguard government agencies as they have adapted to modern threats. Information security professionals have had to address a number of serious breaches, each have showcased many of the failings and the strengths of the modern IT world. This trend, as well as the increasing coverage of cyberthreats by more mainstream news sources, has led to continued interest in how the industry can combat these threats.
In a recent blog post from CrowdStrike, their experts weighed in on what is being referred to as the “shift in responsibility” or the change in who is viewed as being the one in charge of guaranteeing security for a network. With the rise in work from home, the previous consensus that security was “someone else’s problem” has slowly but surely been replaced by the understanding that every endpoint is a potential vector for attack.
According to CrowdStrike’s experts there are a number of best practices that an agency or organization can do to make sure that this conversation results in meaningful and practical benefits:
- 1. Teach employees about password strength and the importance of not reusing a couple of passwords over and over again. Individuals may consider using a password manager like 1Password, LastPass, DashLane, etc. in their personal life, but these open up agencies to more risk. A single password being stolen can now put the entire network at risk.
- 2. Encourage your employees to activate multifactor authentication (MFA) wherever possible. This is one of the most powerful tools for protecting personal information. Create cheat sheets and guides for activating MFA on commonly used applications and software.
- 3. Teach people about the risk of using free public Wi-Fi access. It’s very easy for an adversary to set up a public Wi-Fi connection that spoofs that of a local coffee shop, library or airport, and through that gain access to organization networks.
- 4. Teach people to be wary and vigilant about social media and show them how the various information they share could be used against them. Explain to employees that simple questions such as “How far away do you live from the place you were born” could allow an adversary to reset a social media password using secret questions.
- 5. Make sure to educate people about the importance of keeping their devices and browsers up to date with the latest patches to prevent any possible vulnerability from being exploited by adversaries. Again, create cheat sheets, guides and information packets about patching and what to look out for.
- 6. Make sure information is easy to understand and simple to execute. People will quickly shut down and revert to bad habits if what you are introducing is complex. If you can’t explain it in the simplest of terms, it will not be adopted.
- 7. Make the information interesting. Engaged employees are more likely to remember the material. One example of an excellent motivator is gamification, in which people can earn badges or points or be rewarded for good quiz results.
- 8. Encourage employees to talk about cyber hygiene and resilience at the dinner table. Ask them to teach their families about online safety by comparing cybersecurity to physical security — discuss online stranger danger, keeping track of your digital belongings, and “see something, say something.” Physical security terms translate well into cybersecurity and will further reinforce a safer online experience for everyone — at home and at work.
- 9. Make communication about cybersecurity an open dialogue, not a shaming exercise. Establish a simple way for employees to report mistakes or areas of concern without embarrassment. Positive reinforcement leads to better behaviors faster, so when you see people doing the right thing, reward them in front of the rest of the organization — loudly and proudly.
To learn more about how federal agencies and organization can build a better cybersecurity paradigm, click here.