January Security Awareness News

• The Year Ahead
• Back to Security Basics
• Why Policy Matters

The Year Ahead
For many people, the beginning of a new calendar year represents a time of reflection and an opportunity to set new goals in the name of self-improvement. With the admission that spinning this from a security awareness perspective borders on the cliché, it’s still a valuable exercise everyone should go through. Security awareness resolutions will, of course, be different for everyone. But here are a few examples that work for most people:

1. Improve Passwords
   At work, you are required to follow organizational password policies. In your personal life, no such policies exist, but they should! Make a commitment to ensuring your accounts and devices are all protected by strong, unique passwords. Consider getting a password manager to help, which is software that can create, store, and sync login credentials.
2. Implement Multi-factor Authentication
   Even your strongest password won’t matter if it gets exposed in a data breach. For that reason, it’s vital to implement multifactor authentication (MFA) wherever it’s offered. MFA blocks access to an account until you can provide an additional code, which is usually sent via a secondary communication method or authenticator application.
3. Digital Cleansing
   How many applications do you have installed on your smartphone? (Probably several.) When was the last time you double-checked the privacy and security settings of those applications? (Probably never.) Set up monthly calendar reminders to delete any applications you don’t regularly use, and occasionally check privacy and security settings.
4. Prioritizing Privacy
   It’s no secret that personal data collection is a driving force behind many of the mega social media sites and, well, Google. Take control of your personal privacy by limiting what you share, reducing permissions within applications, and utilizing services that don’t build their business model around collecting information. In short, limit your exposure to entities that collect personal data.

Back to Security Basics
The concept of “365 security awareness” is simple. It means to place strong considerations on security in almost everything we do, all the time. Of course, life is busy. We all have bandwidth limitations that are under constant pressure.

As such, placing strong considerations on security in “everything we do, all the time” probably sounds like a lot. But it’s really more of a reminder that security deserves to be included in our bandwidth. The good news is that getting back to security basics doesn’t require a major overhaul of behavior. It’s more of a
renewal of awareness vows, if you will. Basics include:

1. Never clicking. Always thinking.
   You won’t get phished if you don’t click. Carefully inspect all messages and links. Consider the tone of emails when they appear to come from someone you know. Sound odd or abnormal? Report it!
2. Lock it when you leave it.
   When you leave your workstation, even if only for a few minutes, lock the workstation. Do the same with all smartphones and tablets. This action is incredibly simple yet incredibly important.
3. Policies are for people.
   Organizational policies exist to ensure the security and privacy of everyone, including you. Never circumvent those policies for any reason. If you need more information, please ask!
4. Keep it clean.
   Messy, disorganized workstations could lead to inadvertent security risks, such as losing important documents or badges/keycards.
5. One badge. One entry.
   When you enter a secure area that’s reserved for authorized personnel, don’t hold the door open for someone, ensure no one slips in behind you, and make sure the door completely closes.
6. Print it? Shred it!
   Occasionally, physical documents might be necessary. If they contain anything that could be deemed confidential, be sure to shred them and dispose of them in a secure manner.

Why Policy Matters
If you’ve been reading this security awareness newsletter for a while, you’ve probably noticed that the line “always follow policy” makes a regular appearance. If you’re new to the newsletter, first of all, welcome! Second, you’ll soon notice that the line “always follow policy” makes a regular appearance. In fact, we could probably just close things up here by reminding you that you need to always follow organizational policies at all times, no exceptions. The end.

But we’re not in the business of telling people they need to do something without explaining why. “Because we said so,” is not a line you’ll ever see in this newsletter. So, let’s dive in a little deeper about policies by exploring a few examples.

POLICY: Passwords must meet specific requirements.
REASON: Weak passwords lead to weak security and could result in data breaches.

POLICY: You may only install approved applications or software.
REASON: Many applications feature poor security controls and may
introduce vulnerabilities.

POLICY: Use a VPN.
REASON: VPNs (virtual private networks) encrypt data connections and prevent
someone from stealing information.

POLICY: Report security incidents immediately.
REASON: The longer an incident goes unreported, the more damage it could cause.

POLICY: Never plug in random USB devices.
REASON: USB flash drives and cables are used by criminals to distribute malware.

Now imagine none of those example policies exist. How long would it take for an organization to fall victim to cyber attacks and other unwanted consequences? And then there’s the matter of compliance regulations—the laws that define requirements for data privacy. Without policies, how could an organization ensure they don’t violate those laws?

So, while it’s easy to view policies as organizations telling their employees what to do, in reality, policies exist to protect everyone’s privacy, including yours! As always, if you have questions or need more information, just ask.