3 Steps to Creating a Culture of Privacy Protection
Whether your workforce has gone remote or your team has access to confidential client information through their personal devices, it’s important that everyone is on the same page when it comes to data security. Why? Because people are susceptible to cyber threats. Like, really susceptible. 90% susceptible.[1] Your company can purchase the most sophisticated security software in the world, and a hacker may still infiltrate your system when an employee clicks a link in an email from his “bank.” It happens to the best of us, which is why 25% of organizations report being impacted by cryptojacking.[2]
This article is a guide to training your team to be security savvy by creating a culture of privacy protection. Following these 3 simple steps can significantly lower your organization’s risk of security breach.
1. Report Suspicious Activity.
So there’s a firewall — great. A firewall is a tool that can block the majority of cyber-attacks. However, a firewall cannot always detect successful breaches. That is, those hacks that have smoothly infiltrated your system and are collecting/sharing your organization’s valuable information.
Did you know — most companies are unaware that they have been breached until the point the FBI contacts them?[3]
That’s why you need a team trained to report suspicious activity. But what exactly is suspicious? Maybe someone can’t locate an online file because it’s be maliciously deleted. Maybe your cloud says a folder was shared with someone outside your organization that you don’t know. Or maybe . . . someone clicked a funny link or attachment, only to realize the significance too late, And. Nothing. Happened. Don’t be fooled — hacks don’t always mean black screens and frozen windows. Cyber-attacks include silent but deadly killers that can activate at a later date or secretly track your internal activities.
Train your team to speak up and be comfortable doing so. You don’t want the first time your told
about your company’s cyberattack to come from the FBI.
2. Be a Good Steward of Device Security.
Security should be everyone’s responsibility. Not the firewall. Not the IT team. Not management. Everyone. Why? Because the majority of cyber-attacks are caused by human error — 90% of hacks, to be exact.[4] And 20% of respondents to a Malwarebytes survey said they’ve had a breach since the covid-19 pandemic started due to a remote worker’s behavior.[5]
How does this happen? Someone clicks that bait in an email, opens an unfamiliar attachment, fails to check the legitimacy of the sender’s email address, or leaves their devices unsecure and unattended.
Most organizations have security rules in place, but it’s important for teams to understand why those rules exist. If even one person engages in lax security behavior, the organization’s entire system could be at risk.
Here’s some simple best practices to stay safe:
A. Protect All Devices.
Don’t forget that your organization needs security protection on all devices, not just workstation desktops. 67% of Global 2000 report breaches as a result of mobile access to corporate data.[6] If employees are accessing organizational emails and documents from a cell phone, protect those phones and make sure everyone’s using 2FA.
Employees happen to be 3x more susceptible to phishing attacks on mobile devices vs. desktops.[7] And 85% of mobile phishing attacks occur outside of email (through messaging, social networking, games, and productivity apps).[8]
Maybe it’s the small screens that prevent easy URL or email address verification, or maybe it’s because it’s accessed 24/7, including at 2am in the bathroom, but staying secure on a mobile device can be tricky. Teams should use a secure mobile browser and avoid clicking links to third-party websites.
Ensure your team has access to protocols and security systems for all devices.
B. Update Software.
Software updates — especially ones without cool features — are annoying. It means closing all those open tabs, restarting the device at least 5 times, and reenter 108 passwords for your favorite tools and platforms. But encourage your team to do it anyway. Software updates are primarily designed to fix known security vulnerabilities. When your team has a habit of waiting a number of days prior to installing updates, your organization is left open to attack.
C. Don’t Connect to Public Networks.
When connecting to wi-fi, both on work devices and personal devices (that can access organizational emails or documents), the best option is to link the device to a secure network that no one else is using. Cyber threats can enter devices through a shared network/wi-fi connection.
This comes into play in different ways. For instance, when travelling, don’t connect to the hotel wi-fi. Instead use a personal hot spot.
Further, it’s best to be on a network apart from others who may be less security-savvy. For instance, while at home, it means connecting to a network apart from the family or guests. If a spouse or child accidently activates malware on their own device, it can reach other devices through the shared network. Oftentimes, there’s a 2.5G or 5G network option to choose from — keep work devices on one and family devices on the other.
D. Use a VPN.
A VPN is a tool whose purpose is to hide the true location of a device. An organization may want to hide the location of its workers’ devices so that hackers can’t easily locate them for attacks. For instance, a hacker can search Google to find out the office locations of RVL. If the hacker sees that a device is located at an RVL location by way of the device’s IP address, then the hacker can target an attack to that specific device in an attempt to steal valuable information. Since RVL uses a VPN, hackers are unable to pinpoint which devices are RVL devices. RVL devices become virtually anonymous.
Your team should always activate its VPN before engaging in work. Additionally, the brand name of the VPN should be kept a secret. If a hacker figures out what VPN you are using, they will know to search for flaws in that specific system.
E. Implement 2FA.
2FA (two factor-authentication) is a security tool that requires a login be protected by two keys. Common keys include: a password, a separate device login, a code sent to email or alternate device, or a physical access key that can be plugged into a device.
The purpose of 2FA is to ensure that the person logging in is the owner of that account and not some individual that guessed the account password correctly or found a password sticky note tucked away in a drawer.
2FA should be turned on for every login in which it is available, such as email, security, cloud, and payment systems platforms.
F. Turn on the Firewall.
All devices should be protected by a firewall to defend against outside attacks. This includes mobile devices. Keep it updated. See Point 2(A) above. Don’t tell anyone what security software you’re using. See Point 2(C).
Don’t turn off the firewall to access unverified websites/downloads. Oftentimes, a notification may request a team member to temporarily turn off the firewall — teach your team to be wary and think about who s/he is allowing into her/his device before accepting such a request.
G. Always Check the Sender’s Address.
Don’t send bank account information to an Egyptian prince requesting financial help.
In general, never assume the sender of a link or attachment is real. Emails can appear to be from legitimate companies, even using their standard colors and logos. Red flags are: unfamiliar sender addresses, time-sensitives deals/requests, and too-good-to-be-true offers. If someone feels the need to click a link or open an attachment, but is unsure of the sender, simply call the organization.
Of note: Email addresses can be spoofed or masked to appear legitimate. If the wording or images used appears off — trust but verify by contacting the sender through separate means. DO NOT email the sender to ask if their email was legitimate, as their account may have been hacked.
H. Don’t Click Links or Open Attachments.
Beware the click-bait. If the opportunity looks too good to be true, it often is. Any countdown meter contained within the message or on a webpage should serve as a red flag. If a link or attachment is sent via email, check the sender’s email address. See Point 2(F). And NEVER trust an unfamiliar site.
I. Protect Access to Devices.
Hackers don’t always access devices through some elusive virtual backdoor. They can merely get ahold of a physical device. Don’t let them.
If a team member loses their cellphone in a public place, even for a short time, assume it has been hacked and change all passwords.
If a device is left alone in the office, such as on someone’s desk, it should be placed in sleep mode and the laptop lid should be closed — even for a bathroom break.
If a team member is staying in a public place and must leave his/her device unattended (e.g., hotel room), all accounts should be logged out of before the device is left behind.
J. Use a Password Manager.
A strong password is one that is not used for any other account and cannot easily be guessed. Ex. Krd!JD23?Df –- nonsense, right? It really can’t be recalled easily. Especially if it’s being changed every two weeks/months. So, use a password manager. Pro Tip: Some password managers have a feature to automatically create a crazy nonsensical password and then save it in its secure database.
If a team member is allowed to use the same password for everything, the organization becomes very vulnerable to hacks — only one account must be breached for a hacker to have access to all accounts.
K. Ask a Friend.
When to comes to detecting suspicious activity, sometimes a second pair of eyes is best. Start a policy of asking co-workers to glance at a suspicious email or ask if they tampered with an important file that looks fishy.
Sometimes, this means calling them — rather than sending an email or instant message — especially if the co-worker is the one behind the suspicious activity, just to ensure their account wasn’t hacked. For instance, while working remotely, a co-worker asked me through instant message for the business credit card number. I called them to verify the request.
3. Engage the Team.
Changing values, attitudes and beliefs is the key to creating cybersecure behaviors. Leaders of an organization should truly engage their teams to create a culture of cyber security. This can be fun too — offering prizes for pop quizzes or adding privacy awareness as a component to bonus calculation can further the organization’s privacy goals.
Lastly, each organization’s security strategy should be uniquely curated to its business practices. Leadership should not merely copy another organization. Be mindful of your needs and the individuals who have access to valuable information within the organization, and work to protect it.
[1] Source: TechRadar.com “90% of Data Breaches Caused by Human Error” by Anthony Spadafora, May 19, 2019.
[2] Source: RedLock.
[3] Source: Washington Post “U.S. Notified 3,000 Companies in 2013 About Cyberattacks” by Ellen Nakashima, March 24, 2014.
[4] Source: TechRadar.com “90% of Data Breaches Caused by Human Error” by Anthony Spadafora, May 19, 2019.
[5] Source: Malwarebytes Presentation to Cybersecurity at MIT Sloan (CAMS) on October 24, 2020.
[6] Source: Ponemon Institute.
[7] Source: IBM.
[8] Source:Aaron Cockeril Dec. 2, 2020 Lookout: Phishing Phones, and the New Social Engineering Threat. MIT Technology Review. CyberSecure 2020.
About Lauren Hughes
Lauren Hughes is the privacy and branding lead at Rockridge Venture Law®. Equally adept at creative campaigns as well as technology transactions, Lauren leads clients through copyright, privacy, regulatory, and trademark considerations in optimizing successful e-commerce portfolios. She is a leading voice among women practicing in technology and tech law. Her primary practice areas include copyright and trademark law, data privacy, sports and entertainment law, and technology transactions. Lauren also leads the Knoxville Technology Council’s Women in Tech Committee, and is a Director of the Tennessee Women’s Theater Project. Read more about Lauren, connect with her, and Calendly her.
RVL® Articles by Lauren
What are the Benefits of a Registered Trademark?
5 Steps to Protecting Buyers’ Privacy and Data
The California Consumer Privacy Act Doesn’t Apply to Me, Does It?
Certification Marks / Trustmarks in E-Commerce
About RVL®
Rockridge Venture Law®, or RVL®, was launched in 2017 to become the preeminent intellectual property and technology firm across the Appalachian Innovation Corridor. We have offices in Chattanooga, Durham, and Nashville, and represent clients and interests globally. Our services include all aspects of intellectual property, litigation, M&A, privacy, technology transactions, and ventures.
In 2018 and 2019, we were recognized as B Corp Best for the World for our commitment to triple bottom line business practices. RVL® is also certified by 1% for the Planet for its nonprofit partnerships advancing stewardship and sustainability. RVL’s nonprofit partners in 2020 include Green|Spaces, Living Lands and Waters, Mustard Seed Ranch, and the NC State Lulu Games Social and Environmental Impact Competition.
Our pioneering environmental and social impact programs attract top-notch legal talent and assure our clients of missional Rockridge Venture Law alignment with their corporate values. Rockridge uniquely addresses two modern profit drivers: innovation (uptake and development), and corporate social responsibility. We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
Learn about global impact and innovation leaders at Rockridge I-Suite®.
See case studies on how we’ve helped transformative companies at Rockridge Portfolio.