In Business Security, Employee Cyber Hygiene Matters

Making employees aware of their impact is integral to a successful business security strategy

When children cover their eyes and insist no one can see them, it’s cute. But when the majority of American adults use the same strategy to protect themselves from cyberattacks, it’s a costly and growing crisis for consumers and the businesses they work for.

Nearly 60 million Americans have been affected by identity theft at a cost of nearly $17 billion each year. Nonetheless, most consumers (88%) express confidence they are taking appropriate steps to protect themselves, according to the 2019 Cyber Hygiene Risk Index Assessment of American’s Cybersecurity Practices report commissioned by Webroot. The gulf between what’s actually happening and the urgency to take action is concerning.

Despite the growing number of data breach stories that make headlines, the Webroot report found that fewer than half of Americans employ best practices to protect their personal information, Social Security numbers and medical records. They may lose not only money and rewards, but also access to bank accounts, social media and financial leverage when their FICO scores drop.

Where’s the Disconnect?

For some people, the disconnect between threat and perception is a matter of information. While most Americans have heard of phone scams, malware, phishing, trojans, webcam monitoring and ransomware, most of them also cannot explain what they are or how they work. “Malware has the largest discrepancy,” the Webroot report stated. “Seventy-nine percent of Americans have heard this term, but only 28% can confidently explain what it is.” As a result, when these attacks come their way, Americans simply don’t recognize the threat that is right in front of them.  

Frequently, cybersecurity issues have little to do with malicious intent but are more the result of human error or negligence. Part of the disconnect for consumers, according to the report, is the naive belief that the responsibility for the security of their devices falls to the manufacturers of those devices, IT staff and regulating bodies.

Enterprises have long been fighting the uphill battle of mitigating the risks of human error. Now more than ever, it’s essential that security awareness training become a part of the corporate culture.

“Good cyber hygiene doesn’t have to be complicated,” said Tyler Moffitt, senior threat research analyst at Webroot, in a press release. “Simple steps like backing up data, using a modern antivirus and not recycling passwords are quick and easy ways consumers can improve their security. In today’s digital world, no one is immune to cybercrime, and having the awareness and tools necessary to protect yourself is key in keeping personal information secure.”

Keys to Security Awareness and Training

Training end users how to improve their personal data management is a process that must be ongoing and relative to security.  

Tripwire’s Steven Wood, senior product manager, recently wrote in his company’s State of Security blog about the FICO grades companies receive, which are based on similar scoring criteria to consumer credit scores. “These metrics are then used to compare security risks against competitors,” Woods wrote, evidencing the reality that the employee’s cyber hygiene is increasingly linked to the company’s cyber hygiene.

Cyber hygiene may not sound sexy, but it is an essential and often neglected security effort that protects enterprises in the long run. When end users engage in cyber hygiene best practices—those practices the majority of Americans neglect—those habits spill over into the workplace.

Teach employees what they can do to protect both themselves and the business by using these recommendations from Webroot:

  • Encourage your employees to pay for antivirus software and keep it updated (or consider offering it for free on mobile devices).
  • Advise them to use different passwords for every account.
  • Suggest they use “private” settings on social media accounts (Facebook is people’s favorite social media account to keep “public”).
  • Under no circumstances should they share passwords with others.
  • Make sure they use two methods of backup for data and ensure the data are encrypted.
  • Recommend services for VPN, ID protection and password management.
  • Remind them to monitor bank accounts, credit card statements and credit reports.
  • Teach them when they give away devices they first need to return them to factory settings.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus