How to Talk to Your Employees about Cyber Security

by

June 15, 2021

The Truly Cyber Resilient Organization Starts With Educated Employees. We’ll Show You How to Get The Conversation Started.

When employees are under the gun to get the job done, worrying about whether their password is compliant or whether they’ve vetted every link they open can feel really onerous. But cyber crime estimated to cost businesses more than $10.5 trillion globally by 2025, cyber crime isn’t some far away threat that’s happening only to the biggest companies and government agencies. Cyber crime has come knocking for every organization. And if your employees aren’t on their guard, it could be coming for you, too.

“Phishing and ransomware attacks have become so common, you really have to assume as an organization that you’re being attacked at all times,” said Matt Lee, director of Technology and Security at Integris. “We deal with dozens of email incursions every week. And it usually starts with a very simple, innocent mistake on the part of one employee. Your only defense is security training and education,” he added.

When employees understand the risks, they understand that attacks are inevitable. And they have a critical role to play to helping their organization be truly cyber resilient.

Here’s some examples of “scripts” you might use to have those discussions:

1. “If you must have a second job, don’t do it on a work-issued computer.”

Your work issued device might be faster, easier, and more convenient to use than your home computer. But our virtual private network only works well if you use it for all your the computer’s internet connections. And every time you open the files and emails pertaining to your side job on your work computer, you expose the company to extra risks. Especially when your side gig requires you to send and download large documents. All it takes is one bad file download for hackers to get access to our network.

We respect your time, and whether you take on extra work to support your family is your decision. But for the sake of our team, we need you to keep your computer clean of everything not related to your work here at the company.

2. “Keep your personal emails on your own computer, too.”

Remember that  92% of all malware attacks are launched via poor email practices. Obviously, your work email has protections in place, but commonly used personal email sites are playgrounds for cyber criminals. We have processes for passwords and regular security patches and updates. Can you say the same for your personal email accounts? As an organization, it’s a risk we can’t afford to take. Please help us out, by accessing your personal emails from your own personal desktop.

3. “Don’t use the same password across your work and personal devices.”

Does you use the same passwords on your personal computer that you do on your work computer? Do you have sticky notes or a file with all your passwords in it? If you do, you’re opening the company up for serious risks. Why? Because criminals can install network analyzers and key-loggers that will capture your password. And once they have the password from your personal account, they’ll try it on your business accounts. Similarly, if you’ve saved your business passwords on your personal devices, you are practically giving a hacker the key to the company’s front door. Try to save your passwords in approved company password vaults, and don’t check your personal accounts from your work computer.

4.  “Don’t save your personal data on the company computer.”

Many employees don’t think twice about storing personal files, photos, videos, saved internet site addresses, passwords and more in folders on their work-issued devices. This isn’t allowed here, and it’s a policy that keeps all our employees safe. Personal accounts are far more likely to collect corrupted files or malware. It really is that simple. The less data our company devices must carry, the more space we have for our core operations. We need everyone’s cooperation to make sure that our systems run smoothly.

5.  “Please do your online shopping and check your personal banking accounts at home.”

Hackers are especially vigilant for online activity that involves financial information. Employees using work-issued devices for personal reasons often log in to bank accounts or PayPal, and don’t think twice about providing credit card information when shopping online.

If you are saving financial information, logging in to bank accounts, transferring money, or providing credit card information online on your company computer, you’re unwittingly putting the company and your own personal data at risk. Keep things simple. Just don’t do it.

If you’ve gotten an email with links or attachments from a source you don’t know, or if you get a strange email from someone you do know, asking you to download files, take care. There’s a good chance you’ve been targeted for a phishing attack. They can look remarkably slick, using company logos, or spoofing people you already know from your address book. But usually, there will be clues. Poor English or grammar. Or the email doesn’t sound like something your contact would say. When you receive updates saying they are from the IT department, too, check to confirm before you download new system updates or patches. Simply sending an email to confirm with your contact can be enough to avert a serious incursion. When in doubt, ask.

The Takeaway

If there’s a culture of cyber resilience at your organizations, and everyone participates, the things you ask of your employees won’t seem like such a chore. In every conversation, treat your employees like the partners that they are. And remind them of the very real consequences to the network that can come with even the simplest, most innocent mistakes. Remember that you are within your rights as an employer to monitor your employees’ online activities while they are using work issued devices, if you inform them that you are doing so. The best way to inform them is by having them sign an acceptable use policy clearly outlining expectations while using your equipment.

Want to learn more about cybersecurity best practices at your organization? Check out our cybersecurity essentials kit., or our latest guidance on password management. We’d love to meet with you to discuss how we can improve your cybersecurity practices!

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as Technologyadvice.com, Datamation.com, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

Signs an Email is Phishing: 5 Signs of Phishing in Your Inbox

Signs an Email is Phishing: 5 Signs of Phishing in Your Inbox

For years we've read articles teaching us to identify the signs an email is phishing. We all know the signs, yet we still miss the blatant indicators and take the bait. According to Security Magazine, citing SlashNext, "The first six months of 2022 saw more than 255...

A Personal Twist on Zero Trust Security

A Personal Twist on Zero Trust Security

The massive Australian data breach in late September inspires me to share a personal twist on Zero Trust Security. What makes this incident colossal? BBC News Australia reports, "Australian telecommunications giant Optus revealed about 10 million customers - about 40%...

How Much Do Managed IT Services Cost? (Factors & Price Ranges)

How Much Do Managed IT Services Cost? (Factors & Price Ranges)

Several factors drive the cost and price ranges of managed IT services. Fees range between $100.00 to $250.00 per user per month. Factors that affect cost are headcount, the size and sophistication of your IT systems, and whether you outsource some or all of the...