This article has originally been written in french and then translated with tools. The translation should be on point, but please forgive us if some parts are not perfect.
You can put in place all the technological measures you want, but if your employees aren’t aware of the risk and don’t adopt the right behaviors, the cyberincident is closer than you can imagine.
The best way to help them is to train them. For this, there are a multitude of solutions: live training, awareness-raising platforms, coaching on your part, often difficult to achieve due to lack of time.
That said, the aim of this article is to give you some tips on how to educate your employees. Whether you already have a practice in place or not, it’s repetition that works when it comes to raising awareness.
Here’s a top 5 list of good behaviors to adopt. If you want something more visual to plaster around your offices, we’ve put together a downloadable poster (at the end of the article).
PS: People are often fed up with being told what to do and reading procedures. Our tips are presented in an original way to make them a bit more fun to read, and make your employees want to get to the end for real 😉
PS2: A good strategy would be to send one tip a week to your whole organization – little time to read it and more chance they’ll assimilate the content than reading the whole thing at once.
Bingo, another subject that must be making you sick: passwords! 😃
It’s the biggest pain in cybersecurity. Yes, you’re sick and tired of being told over and over that your password must be unique, at least 12 characters long and include special characters, both upper and lower case.
First of all, the experts have changed their tune: forget the characters and concentrate on length.
A good way to make long passwords memorable is paraphrasing, such as: IT-is-getting-on-my-nerves-about-passwords. This one’s perfect 😎
Why unique? It’s not your fault, but data is regularly leaked from platforms like Adobe or Linkedin. If your (unbreakable right?) password is known to hackers and you use it elsewhere, they can easily guess it. Yes, really easily, with the “credential stuffing” method, which allows you to test thousands of password combinations in just a few minutes (another concept that’s well said in happy hour 😎).
There aren’t 50 ways to manage your passwords (unless you can learn dozens or even hundreds of paraphrases and remember which website they’re linked to): a password manager (it’s a dolphin that dies every time someone uses an excel file to write down their passwords). If your organization doesn’t offer one, it’s your turn to go tan your IT friends and ask for one, or you can go ahead and use one. Free ones are available. We highly recommend (paid): https://1password.com/.
We assume you know what a phishing email is. And we also assume that you’re disgusted that anyone would still talk to you about it… The thing is, since everyone knows what it is and doesn’t want to hear about it anymore, you’d think it was an outdated technique that just doesn’t work anymore, right?
Stealing your punch, it’s still one of the most popular attack vectors. In 2022, 36% of data leaks originated from phishing emails (a statistic that comes out well in a happy hour 😎).
Why does it still work? It’s not only the users who have improved over the years, but also the scammers. 10 years ago, it was easy to identify a fraudulent e-mail: strange sender address, at least 5 spelling mistakes per line and a link even your cat wouldn’t click. These days, they’re perfectly written, reproduce legitimate e-mails to the letter, and even the links and urls, read quickly, can appear legitimate (go0gle.ca, mlcrosoft.com, etc.). Not to mention spoofing attempts (when the scammer outright impersonates the sender by actually using their e-mail address).
So, do we say a prayer every morning? Don’t open your e-mails?
Here are a few reflexes that can help you for real:
Still in doubt? Forward the email to your IT friends, they’ll help you 🙂
Have you found a USB stick in the parking lot of your job? You’re thinking of your colleague John, who may be panicking as he desperately searches for it because his power point presentation is on the USB stick. The poor guy may need it by 10 a.m. for his hyper-mega-important meeting with senior management. You’re a fantastic colleague, so you quickly plug the USB stick into your computer to see what’s on it and identify the poor person who’s misplaced it.
NEVER PLUG IN A FOUND USB STICK
There’s only one thing to do: take it back to your IT friends so they can analyze it, and also to prevent someone else, less alert than you, from making the mistake of plugging it into their computer.
Cute duck on the key, right?
This USB key, sold online for a mere $79, is called a Rubber Ducky. It looks like a standard USB key, but your computer will recognize it as a new, approved keyboard. If we simplify the concept as much as possible, inserting this USB key is like leaving your keyboard to a hacker. The computer trusts it, so it can do whatever it wants.
That’s the advanced USB flash drive. Without going that far, any standard USB flash drive can be infected with viruses or other malicious code just waiting to find a victim.
Public Wifi, what a wonderful invention! (Especially as long as operators continue to sell their data at a premium…)
We’re not the only ones who love public Wifi. Hackers love it too, and more than we do. When you’re at Starbuck’s, are you 100% sure you’re using the café’s Wifi and not one created by a hacker?
The risks are:
So, no public Wifi for work (or even in general).
If you must use it, ALWAYS activate your VPN. No VPN? We can share our cell phone connection with our laptop 😉
You probably don’t have much control over software and application updates, since they’re handled by your IT friends. But you surely have a role to play in updating your web browser, laptop and cell phone. Our thoughts are with you when Microsoft takes 45 minutes to update*, but it’s for your own good. 🥺
Why is this important? Updates often contain security patches that correct new vulnerabilities that hackers are actively exploiting.
As we like to make you shine in society, we’re going to tell you about another concept that plugs in well in happy hour, that of Zero day vulnerabilities:
“A zero-day vulnerability is a computer security flaw of which the software publisher or service provider is not yet aware, or which has not yet been patched. By extension, the term zero-day exploit is used when this type of vulnerability is used by cybercriminals to launch attacks against vulnerable installations.”
Once a Zero Day vulnerability has been exploited and discovered, the company (like Microsoft) races against time to find a patch and make it available to its users via an update. Until this is done, it’s open bar for hackers to exploit the flaw as they see fit.
For your general knowledge, there is a vast black market in Zero Day vulnerabilities, estimated at several billion dollars. Governments are the main buyers: they buy a stockpile of vulnerabilities and keep them to use against their enemies, rather than reporting them to companies (yes, even towards Google, Apple or Microsoft, American companies…). It’s a fascinating subject. If you’re intrigued, here are some ideas for reading and listening (you’ll soon fall into rabbit hole 😅):
* When you want to send your updating Windows computer into the wall, take a deep breath and listen to this video, you’ll feel better 😉: https://www.youtube.com/watch?v=xDLvUqhwHZc
So much for the written version!
Once again, if you send each tip in the form of an e-mail to your employees every week, we think that’s the winning formula.
As promised at the start of this article, you can download the poster to stick up all over your offices (yes, in the president’s office too, especially) here:
If you like the format, we’ll be back with a second edition of other tips for your employees (don’t email confidential information, talk a little more about president and supplier fraud, etc.).
So if you’re using our tips, please share your thoughts with us 🙂 And if you have any comments from your employees, we’d love to hear from them!
If you’d like to be notified when we publish future articles or discover major vulnerabilities, you can follow us on our social networks:
Peace & enjoy your reading! ✌️
Cyndie & Nicholas