Employee Security – 7 Best Practices to Consider

In the first installment of our cybersecurity best practices, we explored how individuals can safeguard their personal data. But just as vital to security is employee security awareness and protecting important information within an organization. One wrong move by employees could have major repercussions not only for themselves but also for a company’s reputation and clientele.

Part two delves into the steps employees should take to ensure protection: from password, email, and mobile device precautions–all necessary employee security to prevent vulnerable exposure in the workplace.

1. Passwords

Good for everyday security users

The same set of rules from the first part of the series apply with employee security as well. 

Recommendations

Don’t set your passwords for your work accounts to things like “lovemyjob123” or “techguy83”. This will only to lead to poor security and a larger attack space for your work account. Furthermore, don’t share passwords across accounts–especially between personal and work. 

Like in part one, you should use a solid password manager like Bitwarden. Password managers can handle all of your work accounts as well as generate secure passwords for you.

2. Email Use

Good for everyday security users

Using personal email for business activities–and vice versa–is the wrong thing to be doing. 

As an employee you are more likely to be the target of phishing scams and malicious emails at your company email address. For your personal email address, you are more likely to receive the “Hot Girls in your area” or “Low-cost Viagra” spam email. 

Both of these kinds of emails are malicious and obviously not desirable–and can cause serious damage in both environments.

3. Mobile Devices

Good for everyday security users

Many organizations have a “Bring Your Own Device”–or BYOD–employee security policy in place for employees to use their personal cell phones for work. If this is the case, there are likely many policies in the company’s handbook for acceptable use on these devices.

It should go without saying, but it is going to be said: “Regardless of company policy, DO NOT put company information on your personal device.” 

This means no email on your personal phone, no photos of client sites or the server room, or any part of the facility. No texts with your boss or coworkers about things relating to work.

If you go out to the bar or dinner after work and you leave your phone on the table, or someone comes along and swipes it while you aren’t paying attention, the data on it is gone. Not just your data, but any company data that you have on it.

Recommendations

If your organization offers a BYOD employee security policy–also inquire if they provide devices instead–it’s always better to keep your company data separate from your personal. The reasoning behind this is that if your device is compromised for any reason and it contains company data, their data along with your own is vulnerable. 

Some vendors like Samsung offer a sandbox environment–called Knox by Samsung. A sandbox is an environment keeps your personal data and business data separate and requires different authentication for each profile/mode, if it’s set up correctly.

Additionally, most organizations should be utilizing a Mobile Device Management (MDM) platform. The purpose here is to control the security, patching, and access the mobile devices in their environment have. One such case, using the example of a device being stolen, would be that the next time the device can check in via an internet connection, the MDM administrator can set it to wipe the data. 

4. Unauthorized / Non-Company Devices

Good for everyday security users

This might seem trivial, but don’t plug in random devices that you find laying around the office or anywhere else. 

One of the fastest ways to compromise a computer is to count on an employee plugging in a random flash drive. It could be one they find in the parking lot or in the break room somewhere after a “red team” operation has taken place. And just by opening it up, someone has compromised the physical building via social engineering or other means.

Recommendations

The best employee security policy is to take any unidentifiable device to the IT department to have them investigate. They are more likely to have a sandboxed environment–or test machine–they can use that’s off-network and exists solely for the purpose of this kind of event. 

Devices that cannot be confirmed to belonging to the company, such as flash drives, external hard drives, SD Cards, phones, and laptops, should be immediately removed from active use. They should also be disallowed to connect to the company network or any sensitive equipment within the organization. Plugging in or connecting these devices opens up your workstations, servers, and network to malware, backdoors, rootkits, keyloggers, and ransomware through auto running executables, and malicious files.

5. Illegal Activity

Good for everyday security users

Illegal activity on a company network is a common occurrence and can lead to information leaks. 

Music streaming, movie streaming, illegal downloads (torrents), and pirated software on a network can have serious consequences from a legal, financial, and information security standpoint. Using software that connects to random places on the Internet to download files and/or stream media can result in the download of malware or remote access software.

An example

Imagine for a moment that your boss found that you were torrenting illegal applications on the company network and hardware to use in your environment to accomplish some task. Not only are you liable for any damages caused by the illegal downloads, but the company will be liable for any financial costs in licensing or legal fees to right the wrong caused by your actions. Plus, there could be further reaching implications because of this activity including (but not limited to) company reputation loss (resulting in financial losses), confidential data disclosure such as proprietary code or paperwork, and customer or personnel data.

That pirated copy of photoshop you downloaded so you could make the image for the latest blogpost, memo, or website change prettier? Yeah, that could have just cost you your job, the company thousands of dollars in damages versus hundreds in licensing, and contracts with clients that keep the lights on for the business.

The point is, don’t do these things on company time, the company network, or on company systems. If you do, you can open yourself up to legal trouble, unemployment, malware, data disclosure, and a damaged reputation.

6. Phishing

Good for both everyday security users and advanced users

Phishing is almost exactly like it sounds: fishing for information. This attack is the attempt of a malicious third party to exfiltrate data or have an employee perform some kind of action by spoofing communications, typically via crafted email or website. The objective is to gain access to and defraud an account. Phishing targets anything from usernames and passwords, credit card numbers, all the way to high-dollar money transfers.

As the saying goes: “If it sounds too good to be true, it probably is”. 

When it comes to phishing attempts, this is all too true. 

The free iPad spam email that requires you to sign into a site with your credentials to redeem your prize? That’s a phishing attempt. The sudden redirection to a dropbox.com account sign-in page without a prompt? That’s is a phishing attempt.

If you receive an email you weren’t expecting from your bank about a money transfer authorization, it’s probably not real. To be sure, separately search for your bank’s phone number, don’t use any data or links for that email, and confirm with the actual bank what is happening. 

An example

In the example image below, a wire transfer request was made by a phisher through a VERY convincing email message purporting to be USAA. 

One way to ensure your safety in the event of a phish attempt is to take a look at any links within an email. That is, don’t click on them, but hover your cursor over them and check the URL that it would be sending you to. 

For example, hover your cursor over this link: www.google.com. The link text says it’s google.com, but the actual hyperlink points at yahoo.com. This is a non-threat example, but this very basic tactic is used in phishing by assuming that a user is going to simply click on the next in front of their face without question. Sadly, this happens all too often.

Pictured here is an example Email from Cornell University https://it.cornell.edu/phish/4113.

These crafty emails and websites are not always easy to identify. Even the most careful and observant user can be hit by the phish. 

Recommendations

1. Be suspicious, be wary, stay frosty.
2. A well-known security vendor in the industry, SonicWall, created a Phishing IQ Test. So if you’d like to take a stab at checking your phishing identification skills, this is a helpful tool.
3. If your employer is not already leveraging a phishing or security awareness training program, such as Cofense, implementing one is very important.

7. Social Engineering

Good for both everyday security users and advanced users

In the context of information security, social engineering is the manipulation of people into performing actions or giving up information. However, social engineering is usually just one small piece in a grander puzzle for exfiltrating data from an organization’s systems.

Objectives and methods

Awareness of the various attacks types as well as the objectives of malicious actors are both beneficial to your employee security program.

The primary goal of social engineering is to gather intelligence on an organization, its employees, and its processes. How an organization handles visitors and/or navigates breaches is part of both the reconnaissance phase as well as the gaining access phase of the hacking lifecycle.

The end-goal in most social engineering activities is to gain at least one set of credentials. Typically, they’ll be aiming for credentials with elevated access privileges such as an administrator account–or at the very least a power user account. 

Social engineering can be done remotely through phishing attempts via email or mock web pages. It can also be done or in person through the use of clever tactics. 

Giving out personally identifiable information or sensitive company details through things like phone calls is another valid form of social engineering. 

A recent Twitter post, by another infosec community member, stated that she heard an employee at a company blatantly give out a credit card number clear as day over the phone; including the expiration date and security code… This kind of information disclosure can be incredibly damaging to a company as well as to the employee. 

You need to be cognizant of who can hear or see sensitive data any time you access it.

There’s also plenty of opportunity for onsite social engineering. 

As an employee, it’s your job to be paranoid and cautious of people who come into your workplace. The front-desk receptionist needs to vet anyone who walks in the front door before they’re allowed any further into the facility. Once the visitor is confirmed and authorized, they should be accompanied at all times, by an employee of the department they’re visiting, to reduce any potential opportunity for social engineering tactics to be used.

Recommendations

All employees should be aware of any work being done in their immediate work area. 

This means some kind of policy should be set in stone which trains those in that area to be familiar with, should a new person be present in their work areas. Things like locking their computers when not in use, not leaving any sensitive information written down and out in the open view, and not allowing people to “shoulder surf”, are the best tactics to use against social engineering.

Wrapping it up

Ultimately, in the world of cybersecurity, there is no such thing as being too cautious. By following the steps laid out in this blog post, employees can take active measures to prevent themselves from becoming a weak link in their organization’s security system.

I’ll leave you with these words of wisdom:

When in doubt, throw it out!

This is an old saying that connects to preventing food poisoning. This concept also applies to information security, from an employee perspective, because you don’t want to “poison” your confidential and/or sensitive data. So get rid of anything that doesn’t smell quite right.

Stay vigilant and stay secure out there.