Every day, employees hear the same things from their IT staff about cybersecurity and safety. Though they may pushy and monotonous, there are very important reasons and rationale behind these practices and advice. Keeping safe and secure while connected isn’t just about how your system is set up – it is also very much about how the end users of the said system are keeping their machines safe from attacks. Below, we list some cyber hygiene practices and provide some background information and the justification as to why it definitely needs your attention:
a) Don’t check your personal email while on office systems.
Staff are always warned against and reprimanded for using personal emails on work machines. But man do not understand the rationale behind this. By checking your personal email on your office computer, you are extending the risk profile of your workplace to include your own personal activities. Social engineering attacks that target you as an individual are now, naturally extended to the entire office.
Your office email account is carefully managed, and secured by policies and the vigilance of your IT team to minimize the risk from suspicious emails, links, and attachments. Once you open your own email account on your office computer, you sidestep many of these defenses and render them less effective. If you open that suspicious attachment in your personal email on your office computer, you can infect your system (and eventually many other systems on the network) with malicious software like ransomware that may prevent you or your colleagues from performing their duties by encrypting your files.
b) Don’t re-use your office computer password for other systems and services.
One of the most hazardous things you can do is use the same password for multiple accounts or systems. Malicious hackers are constantly stealing login credentials from several systems that may be insecure, like online shopping sites for example. These credentials are usually dumped on the dark web and or sold for money. In this way, other cyber criminals can access them and later use them to exploit you.
If you are one of those that re-use passwords, this one exploited password can be used to access your online banking, office systems, homes, phones, among others. Through the act of re-using your work password elsewhere, you leave yourself and your organization open to this type of compromise.
It is advisable to use password managers like Lastpass and Dashlane to manage all your passwords and also to generate unique strong passwords for all sites you visit. These password managers also alert you if your credentials have been leaked.
c) Don’t install unauthorized software on any office systems.
One of the perks of being a windows user is the ability to access all sorts of commercial software without paying a dime. This is usually what is called ‘cracked’ software. The installation of unauthorized/cracked software can negatively affect your workplace’s security posture. This software can include everything from stand-alone programs to plug-ins (AdBlock, IDM, etc.) for your web browser. Not only can this pose a stability issue leading to slower or unreliable system performance, but the installation of cracks can pose a direct security threat either because it may be malicious software itself, or because this is introducing software that is not part of the patch management system in your environment.
If this cracked software can be embedded with reverse payloads that bypass all security measures like firewalls and give full access to an attacker. If the payload is upgraded into an Advanced Persistent Threat (APT) by the attacker, it ends up making you vulnerable to cyber-attacks in the future especially if the I.T isn’t aware of it or is not implementing regular patches or fixes, you leave that avenue open for attackers who easily leverage these known vulnerabilities to compromise systems and potentially steal confidential information.
d) Make sure you lock your screen when you are away from your desk.
Many people have a bad habit of just walking away from their workstations without locking their computers. Screen locking policies exist for a reason. Even if you are leaving for just a few minutes at a time, be sure to lock your screen. Though physical intruders are rare during daytime and in conventionally secured offices, intrusions do occasionally happen.
Screen locks also frustrate unscrupulous insider attacks from other employees that may seek to obtain information or access information beyond what they should normally have. By just plugging a flash disk in your unlocked computer, a malicious insider can run auto executing code that will leave a backdoor in your system. If such an attacker later uses that said backdoor to commit a fraud, you will take the fall for it as the forensic investigator will most certainly say the attack came from your computer. And remember, you are ultimately responsible for everything done under your login!
e) Don’t write down your passwords or user credentials.
As seen in the above example, the same concept of a malicious insider also applies here as in establishing a screen lock on your system. On the rare occasion a physical attacker gains access to your workstation, they will immediately look for written passwords and authentication material. Many people keep a document of their passwords on their desktop (to make matters worse, its labelled ‘Passwords.txt’).
From looking at your written password, through shoulder surfing as you open that document, attackers can get right into your sensitive protected office systems and start stealing data or compromising assets. This risk isn’t only from an unknown outsider, but could be coming from consultants, contractors or internal staff with malicious intent. As stated in (b) above, it is advisable to invest in a password manager.