The most important asset your company has is not your data, but your users. They’re what keeps your company going and giving your customers what they need. As your users spend forty hours of their lives each week at the office (virtual or physical), the importance of making sure that they’re safe online cannot be overstated. Your users, while your biggest asset, can also prove to be your biggest risk as they navigate the internet. Working online can open your users and your business to a wide range of avoidable threats. Ensuring your employees are kept secure without impacting on their productivity is crucial.
With so much at stake and internet-borne threats constantly evolving, taking care to safeguard your users while they’re online is essential. Here are 10 tips on how you can ensure your employees stay secure whilst online.
1. Password Protection
As passwords and credentials are the most common method of logging in, they’ve become the number one target for cyber criminals. Despite best efforts passwords aren’t as secure as we’d all hope and can be stolen or guessed through social or technical means. Specific types of “harvesting” malware can gather credentials saved in browser caches while passwords can easily be guessed based on social media content, or compromised in phishing attacks. Once harvested, these login credentials are often sold on the dark web in bulk. Attackers can buy thousands of stolen credentials for unnervingly low prices.
Good password hygiene dictates that passwords should be long and complex, with a blend of numbers, characters, and letters, making it hard for threat actors to guess or get a hold of. Each of your accounts should have its own separate, unique password. It is unwise to make a list of your passwords, either in a word document or on paper. With the average person having roughly 100 accounts to maintain and keep track of, that’s far too many complex passwords to remember. The solution is password managers.
Introducing password managers to your workforce will help your employees stay safe by providing a secure vault to store their credentials in. Users can store every password for every account in one place. They can store other login details such as email addresses, usernames, and recovery codes too. Password managers can also create strong passwords for user accounts – these random string of letters, numbers, and special characters are much more secure than a user’s favourite actor and their year of birth. Password managers will all a user access via a single master password. While this password should be complex, users only need to remember a single password, which is far more realistic. After accessing the vault, password managers will autofill credentials with one click when a user is trying to access a site or application.
Interested in password managers for your business but not sure where to start? Read our in-depth buyer’s guide on the best password managers on the market:
2. Security Awareness Training (SAT)
With billions of dollars being invested in new cybersecurity technologies, attackers have realised that human error is one of their best chances of success. If a threat actor can effectively disguise attacks as legitimate, many users will grant the attacker access meaning they don’t have to actively overcome any security barriers. Misguided users will open the door to attackers. Sometimes, an attack will spam a user until they relent and grant access – this is known as a fatigue attack.
An increasing number of modern cyberthreats stem from a social engineering foundation. Rather than relying on technical processes or malicious code, they’re simply everyday messages that appear authentic, but ask the recipients to perform risky actions. As socially engineered attacks don’t contain any unusual or malicious code, they’re incredibly difficult for security tools to detect them. Once a threat has slipped passed your firewall, email gateway or other security tool, it’s down to your end-users to spot the threat and respond in the right way.
Security awareness training (SAT) is what you need. SAT is an educational program designed to train users on the dangers they could encounter online. The training will inform them of common and niche attacks and explain what users can do to prevent attacks from occurring.
Information is often delivered in bite-sized training modules that contain a blend of engaging content such as videos, quizzes, minigames, and presentations. Admins can track users’ progress and deploy simulations after training is complete to ensure that users have understood the key teaching messages. Educating users through SAT is so important when you realize that almost 90% of breaches stem from human error – essentially, a case of someone making a mistake, either from fatigue, misjudgement, or confusion.
However, SAT doesn’t just cover socially engineered attacks like fraudulent websites and phishing attempts, modules can also educate users on how to behave in and outside of the office. Topics regularly include how to appropriately store data, how to look after removable media, and how to work remotely safely. Above all, it teaches your users to think critically and independently, allowing them to make informed decisions next time they’re presented with a dilemma or odd request in their inbox. This is essential to combat the ever-evolving litany of attacks.
It’s essential that your users enjoy and engage with the STA solution to ensure they can absorb all of the information, thereby keeping your organization safe. To get started, here’s our buyer’s guide on some of the best in business vendors for SAT solutions:
3. Web Content And URL Filtering
When it comes to online threats, a large portion of attacks stem from websites that users choose to visit during their work session. Users can unwittingly visit malicious sites that will run harmful code on the user’s device as soon as the connection has been made or seemingly safe websites that have not been sufficiently patched or properly safeguarded, meaning there are plenty of vulnerabilities for attackers to exploit. In the instance of the latter, attackers will leverage vulnerabilities in a website by implanting harmful code, meaning that a legitimate website could have risky parts to access and download–unbeknownst to the user and the website’s admins themselves. Alongside this, users can also visit websites that are unsafe to be accessed on company time and with company websites, this could be anything from risky and known harmful websites to websites that aren’t appropriate for work.
Enter web content filtering and URL filtering. Web content filtering is a security tool that screens all content on a webpage as a user is accessing it and assess whether or not the content on the page is risk or directly malicious, and in which case will block access to this particular content on the web page. This can either be a small part of the website, such as an embedded link or video, or the entire webpage on the site. URL filtering works as a filtering solution that relies on a global database that aggregates information and intel from a number of sources, blocking and restricting users’ access to a variety of sites based on threat data and website content, meaning that users are blocked from accessing certain websites based on variety of predefined rules
The two filtering solutions in tandem prevent your users from trying to directly access inappropriate or malicious content while working or prevent them from inadvertently downloading and running harmful code on their device from accessing a seemingly harmless website.
Feel like your organization needs a web content filtering solution in place? Check out our buyer’s guide here:
Top 7 Web Content Filtering Solutions For Business
4. Software Updates And Patch Management
While updating your software when prompted by your server might feel like a minor inconvenience, staying on top of these updates is essential in preventing a wide range of attacks. Hackers are savvy and opportunistic actors, and if they spot a vulnerability within a network, they will exploit it until they have what they want. Patching vulnerabilities is one of the easiest, but most effective, things you can do to keep your applications and accounts safe.
If your SAT program has been successful, your users will understand the significance of keeping software updated. However, users aren’t always that reliable. They may opt to do the update over their lunchbreak and prioritize getting their work done. We get it, manual updates can dent productivity, but it is essential for maintaining overall network health.
If admins want to make sure that software update skipping is a thing of the past, they should use software solutions that carry out automatic software updates. Automatic and non-optional updating means that your network and software stay sufficiently patched and your users get a great excuse to have a coffee break–everybody wins.
Patch management solutions can ensure that all of your software is updated when it needs to be, thereby driving down any vulnerabilities or forgotten devices. For more information on these solutions, you can read our buyers guide:
5. Securing Devices
There are few jobs that don’t involve computers – either conventional desktops, cell phones, or tablets – each one of these are referred to as endpoints. Each endpoint is a potential attack vector for cyber criminals to take advantage of. With the rise of “bring your own device” (BYOD) policies, users can use their personal devices for work. As these are personal devices, they often don’t have all the security features that a company-mandated device would have.
Depending on how your organization operates – allowing BYOD policies, having company-owned devices that users can take home, or keeping all endpoints on-site – having set and enforced policies on how these devices are managed is essential.
If your organization elects not to allow user’s personal devices for their work, make sure that this is continually enforced. You should ensure that your users understand the dangers of sharing company files to their personal email address or using their personal devices to get work done outside of regular office hours. Any devices used within your network should have adequate security features in place to mitigate attacks and risk as much as possible. Devices must be secured with passwords and additional forms of authentication – such as MFA – in case that device becomes compromised or stolen.
6. Anti-Virus Software
While you might expect that only large corporations are targets for cyber criminals, small to medium sized businesses (SMBs) are just as targeted. Why? Although there might be more to gain from hacking a well-known brand, it is much harder to do this successfully. There is also a high level of risk as larger organizations have the resource to prosecute the attackers. SMBs, on the other hand, often don’t have a large budget for cybersecurity solutions or fail to accurately appraise their organization and miss vulnerabilities. These factors make SMBs an ideal target for attackers.
One of the number one tools that any organization should have, from a multinational giant to five people in a rented coworking office, is anti-virus software. Anti-virus software is a type of endpoint protection that secures endpoints (i.e., your users’ devices) through the detection and blocking of any malicious files. Anything suspicious can be identified, investigated, and then haver the correct response enacted.
Anti-virus software dutifully runs in the background on a user’s device, scanning all files, programs, and apps that the device interacts with. This includes downloaded files from the internet and dodgy URLs. For more information on the features of anti-virus solutions, read the following article:
Anything malicious or abnormal that is identified by your antivirus solution will have its code compared with a database of known threats. Once a match is found in the database, the anti-virus solution can identify the best means of remediation and remove the threat. This instance will be reported back to the vendor’s in-house analytics team to improve detection and response.
Why is anti-virus so crucial? Besides implementing firewalls (which a lot of anti-virus software kits often have built in), having an anti-virus software solution is one of the first lines of defense a company can employ to secure themselves. Anti-virus software helps to protect against almost all known forms of malware, viruses, Trojans, and can minimize damage done from phishing attacks or visits to malicious websites. It provides excellent threat detection and automatic remediation directly on a user’s endpoint meaning that no time is wasted in dealing with an issue. Anti-virus solutions help to safeguard against online threats, ensuring that your users can navigate the internet with an additional safety net.
To learn more about the best anti-virus solutions currently on the market, you can read our buyers guide here:
7. Multi-Factor Authentication
Multi-factor authentication (MFA) is a form of user authentication that requires a user to confirm their identity in at least two ways before being granted access to their account. Two-factor authentication (2FA) is also a common way of authenticating a user, where in addition to one set of credentials a user will have to reconfirm their identity in one other way. All 2FA is MFA, but not all MFA is 2FA.
MFA and 2FA authentication requirements usually consist of one or more of these three things:
- Something you know: One of the traditional methods of confirming identity, the “something you know” factor is often an additional password or security question such as “where were you born” or “what is your mother’s maiden name”
- Something you have: This authentication method will often be a one-time passcode (OTP) that can be delivered to a mobile device, email address, or via an MFA key
- Something you are: Commonly referred to as biometrics, this form of authentication requires the user to user their face or a fingerprint scan – from their mobile device – to gain entry
MFA and 2FA simply add an extra layer of defense at the point of sign in. While it might be easy for threat actors to steal passwords and login credentials, these additional factors are much harder to steal. Enforcing MFA means that a stolen set of credentials does not lead to a compromised account. The attacker will still have to navigate the MFA authentication before being able to access the account–this will either slow them down, allowing admins to remediate a breached account, or stop them entirely, protecting your user and their account.
Whilst MFA adds an effective layer of security, it is does not impede productivity. It is designed to be as streamlined as possible, with users only having to touch a button or key in an extra code. Most users are familiar with MFA thanks to banking applications and other online accounts.
Check out our buyer’s guide to get started with deploying MFA for your business:
8. Secure Storage
How you store and access data is a critical part of keeping your users safe. Your data is the second most precious thing a company has (after its users, of course), so it needs to be sufficiently protected. You want it to be stored in a way that it can’t be stolen or tampered with. Archives and storage units designed specifically for the cloud (or on-prem if that suits your organization better) allows for the safe storage of all data and information, even if a user or device within the network is compromised.
Admins can set customized access permissions to further protect data and information that is stored in isolated and encrypted vaults. Not every user in an organization will need to have access to the data – so don’t let them. The more people who have access, the greater the risk of an account being compromised, and the data stolen. In instances of a breach, it can also be difficult to find out who is responsible, particularly if a threat actor has leveraged an account or is moving laterally throughout the network.
Having strict access permissions acts as a firebreak should an account become compromised. Access permissions should also be immediately terminated, and accounts closed down once an employee leaves a company. Equally, any independent contractors or freelancers who leave after a temporary assignment should have their access revoked immediately. Passwords to contractor accounts should not be reused by different users.
Here’s our guide to securing data in the cloud:
9. Passwordless Authentication
The concept of passwords is old, dating back to ancient times when people decided to put walls up and make sure other people didn’t come inside those walls unless they were approved and had the password at the ready. While passwords have certainly had their heyday, it’s apparent that in the world of cybersecurity passwords aren’t as secure as we once thought.
Passwords are easily stolen and highly sought after, with roughly one million passwords stolen each week alone. A password with the accompanying username allows an attacker complete access into that user’s account. From there, the attacker might be able to export and steal data, deploy harmful code, or even leverage the breached account to laterally move across the network and gain more clearance and access as they do so.
It’s an interesting time for the future of the humble password – Google, Apple, and Microsoft all agreeing that they would move away from passwords to other forms of authentication. This ambition is supported by the World Wide Web Consortium and FIDO Alliance (an open industry association, founded in 2013, which strives to reduce the global over-reliance on passwords). The three companies agreed to make the move and reduce password use across all types of devices. Instead of a password, users are prompted to enter a one-time code sent to another device (often a phone or email address), biometric information, a USB security key, or a combination of two or more forms of authentication. This ensures the user is authenticated, without requiring them to remember a long string of letters and numbers.
But what does this mean for your users? Well, passwords, as we know them, are looking to become a thing of the past. While a passwordless future isn’t here just yet, it’s on the horizon and can open new avenues of access security that not only remove the liability of passwords but improve user experience. Imagine how easy it will be to gain access without having to login with a new set of credentials for every account you need to access.
To learn more about FIDO, read our guide to the top 11 FIDO authentication solutions:
10. Deploy An Enterprise VPN
Any user navigating the internet can be tracked, either by third parties looking to sell search data or threat actors, and so on. Understandably, not many people are happy with this idea, so they use a VPN for their internet use.
VPN stands for “virtual private network” – it’s a service that protects a user’s internet connection and hides their identity. This protects them and their connection from being identified or tracked by unknown actors. A VPN is essentially an encrypted tunnel between the user’s device and the site they are accessing. VPNs hide IP addresses meaning that your identity cannot be traced. VPNs also allow users to access public Wi-Fi hotspots securely – these are notorious for being used as bait by threat actors looking to trick unwitting users.
While deploying a VPN might seem like a big step – we don’t all need online anonymity – it has many of benefits for businesses. As a VPN offers protection and anonymity for users accessing public or insecure Wi-Fi connections, it means that remote workers in your company can continue to work on the go safely. They ensure that your organizations data is kept safe, and that the user is safe.
Having your users use a VPN means that their IP address and activity is shielded from view. This adds a layer of protection as it’s harder for malicious actors to gain information and carry out a phishing or impersonation attack. Many VPNs come with additional protective features such as firewalls which can help prevent a wide range of attacks.
VPNs created for enterprise use often grant admins extensive granular access controls which allow them to restrict certain users from accessing areas of the company network that they don’t need to. This ensures that no one has access to anything malicious, or to data that they don’t need for their work.
You can read our guide to the top enterprise VPNs here:
Your users are the lifeblood of the company; they are what keeps the heart of the business pumping and the money coming in. Making sure that they’re safe and secure means that they can do their jobs without any hindrance or loss of productivity, and save your organization from costly breaches, data losses, and ransomware attacks.
A large part of making sure your users stay safe is a simple as instilling best practices. As well as ensuring all patches are taken care of, you should deploy security awareness training, require VPNs, and introducing MFA or passwordless authentication. Taken together, these steps can drastically improve your user’s security hygiene while they navigate and work online.