Welcome to the final week of Cybersecurity Awareness Month. The theme this week is “Cybersecurity First” and is all about making security a priority. Every computer user should put cybersecurity first in every interaction with a computer. This is true whether you are an individual home user, enterprise employee, IT and security staff, contractor, or any other participant in daily computing activities. It’s not difficult; it’s just remembering that your actions on computers could have consequences, and being aware of the negative consequences and trying to avoid them.
For enterprises, cybersecurity first means being aware of the potential for a breach, and being suspicious of any communication from unknown sources. Users and IT staff members have to work together, rather than be adversaries in the protection, discovery, and remediation of hacker breaches or attempted breaches.
This means building effective communications channels for cybersecurity between all stakeholders in the enterprise, and using those channels on a regular basis to convey new threats and ongoing training. IT staff cannot lock themselves away, not be seen, and maintain credibility on cybersecurity.
Communicate, Communicate, Communicate
All too often, employees hesitate to call IT or the Help Desk with suspicions or actual evidence of an attack, in part because of a lack of understanding of their roles. IT professionals are often segregated from the business, with limited interpersonal contact. Sometimes IT and support are also outsourced in a different location, making it difficult to establish a working relationship.
To put cybersecurity first, both enterprise computer users and IT staff owe it to themselves and to the enterprise to establish and maintain good working relationships. These can be fostered through personal interactions, regular video contact in the shelter-in-place world, training, and communications on the latest threats and what to look for. Employees should be comfortable approaching the Help Desk or other IT staff with observations and questions concerning any aspect of security.
Focus From Day One
Enterprises should indoctrinate employees to think about cybersecurity first starting with their first day on the job, and act accordingly in their day-to-day activities. IT staff, in addition to setting up and configuring computers for new employees, have to explain that the organization is under constant attack from both outside and inside. The employees are on the front lines of that battle, and have to do their part to protect company assets.
Initial training and orientation into cybersecurity accomplishes two important purposes. First, it emphasizes to the new employees how important it is to partner against threats and attacks. Second, it reinforces practices that are essential in day-to-day work. IT staff should follow up with regular training and communications to let employees know this is a particular point of emphasis.
Consider Every Action Before Committing
Many computer users sign up for social media, “free” offers, email and text updates, or other services offered on websites without considering the hidden costs. This may even occur on business computers. They usually see some advantage in doing so, but don’t consider the consequences. In most cases, your personal information is retained in a database, which is often targeted in a breach. And your data is often shared with or sold to other entities, which greatly expands that attack vector.
Whether it’s visiting a new and unknown website, opening an email from an unknown source, or simply logging onto an application, both individual users and IT staff can spare a moment to think about the implications of that action. Over time, such thinking will become as natural as typing an email.
Purchase and Configure with Security in Mind
For a number of years, I never set an SSID or password on my home cable modem and router. I rationalized that I lived in a relatively rural location, and it was unlikely to be shared with neighbors or random passers-by. Then I was required to do so by my provider, and today I understand my error.
I also never set passwords on my home computers, until it was required. It’s not about whether or not someone was going to tap into my wireless Internet. Instead, it’s about understanding and managing risks, not only from someone tapping into my Internet, but also someone being able to find and penetrate my router from other Internet locations.
When you purchase new hardware and software, whether for home or business, take the time to understand its cybersecurity implications. Does the hardware let you lock out unauthorized users unless they have the proper credentials? Does your software enable two-factor authentication or other positive ID approach? What kind of security does your latest cloud-based software employ? Do research into the security aspects of products as a part of your buying and configuration process.
Cybersecurity First is a Team Effort
No single person, despite their effort and authority, can measurably improve the cybersecurity of an organization or other entity. It takes everyone on the same page to be able to successfully combat cyber threats and put cybersecurity first.
The key is that cybersecurity should not be an afterthought; it should be front and center in every computing action we take. Once you integrate cybersecurity thinking into your daily computer work, it becomes easy. And use the resources that are available to you, such as expert computer users, IT staff, and security analysts. You are not fighting this battle alone.