Building Trust: Cyber Security Guidelines for Your Employees

Why your company should consider a constructive approach to cyber security education

If you run a business or plan to start one, you should read this. If you’re employed, you should also read this.

Have you ever thought how valuable your company data is?

What would be the impact of not being able to access it for a few days?

How badly would you or your company’s reputation be affected if any of your contracts, tax information or other confidential data were leaked online?

Have you ever considered that your hastiness to click on a link or download an attachment or send data without checking to whom exactly you’re sending, could prove to be fatal to your company?

Data breaches costs to companies are huge. According to a research carried out and published last year, 90% of large organisations suffered an information security breach.

Another recent report states that the economic risk of mobile data breaches for an enterprise could be as high as $26.4 million.

Unfortunately, half of the most severe security breaches are caused by human error. Employees are the weakest links when it comes to the security of an organisation.

Our actions are based on emotions, we are always in a hurry and don’t stop to double check before we do anything with the sensitive data that we manage. We rush into clicking on unknown links or attachments and giving away sensitive information. We access the company data from unsecure devices.

The bigger the organisation, the bigger the threats. You can’t control everyone, you can’t follow all their steps. And all it takes is just one employee to cause a data breach or for a whole company to be infected.

What you can do is take all the proactive measures that might keep the company’s data safe. And it all starts with employees’ education.

Focus on a constructive cyber security education, instead of just being authoritative. It’s important that you explain to your employees the decisions you’ve taken about cyber security and the reasons you’ve based them on.

And always be open to answer their questions, or have a designated person that they can trust and freely go to. Remember that a culture built on trust will be much more secure.

Now let’s cut to the chase:

Here’s what you should advise your employees

Never rush into sending sensitive information.

Lots of big companies have been attacked lately through spear phishing, with attackers posing as the CEOs. Snapchat and Seagate are among the hit companies. The HR employees received emails that, apparently, were coming from their CEOs. They fell into the trap and sent confidential data without even questioning if they really are talking to whom they think they are. It led to the leak of W-2 tax form information on thousands of current and former employees.

Companies should be aware that spear phishing is the most effective type of phishing. It’s not automated, as most phishing attempts, but it’s highly successful. That because cyber attackers take their time to document and find out as much as possible about their targets beforehand. It takes longer for them to prepare, but it’s worth it.

What your employees should do:

Ask them to double check before they give out information or credentials.

Tell them to make sure that they are on a secure website connection, before submitting any data. Does the link start with “https” or “http”? The extra “s” is a good sign. It means that the website has SSL (Secure Sockets Layer) – a method that ensures that the data you send and receive is encrypted.

And have them test their phishing knowledge by taking these quizzes gathered by SCS.

You can also send them our extended guide on phishing and how to prevent it – there we explained everything they should know about it.

Never click on links that you don’t know where they lead to.

Did you know that 15 to 20% of workers’ web sessions (opening a browser) are initiated by clicking a link in an email?

It’s just a matter of time before they rush into a malware infection (perhaps even with ransomware) or a phishing attempt.

Basic rule: if you don’t know where a link will lead you, nor did you request it, then it’s safer to not open it. Do not click on short links, not on weird links. Beware of links where the domains look similar to the legit ones but have a slight variation in spelling or a different domain. Nada.

These usually lead to malware infections (including ransomware) or phishing attempts, so the safest bet is to steer clear from them.

What your employees should do:

They can first check the link using a short link expander, redirect checker or a remote screenshot maker, to see where it leads them to. This way, they can avoid falling into malware traps.

Never download email attachments that they never requested.

Email attachments can be used by attackers to take over their computer and deliver malware.

This is mostly true for attacks done through spammy emails, but there’s been a constant growth of attacks carried on social networks and instant messaging software. It would be safe to ask your employees to keep their guard up when they’re on their private, social accounts.

What your employees should do:

Be suspicious of the files that they receive. We’re talking about files from unknown people, but also from the ones that they know but they never requested anything from them.

Even files that seem innocent, like Microsoft Office ones, have vulnerabilities and can be used to carry malware.

It’s also for the best if they disabled Macros – that’s embedded code written in Visual Basic for Applications that can be used to infect users.

Never use torrents or websites with pirated content.

Nothing unusual until now, right? Well, employee wasn’t aware that he was actually consuming those on an illegal, pirate website, and therefore managed to get his system infected with viruses and malware.

If he wouldn’t have had any other security systems in place, he could have infected the whole network, get blocked because of ransomware, or get important data stolen, leaked or sold.

One of the biggest mistakes that we make is to assume that everyone knows the same things that we do, especially the ones that we consider to be basic.

And this is an idea that I’ve seen propagated especially at very old and very young people: they think that, if something is on the internet, then it must be legal and harmless. Even if it’s free, even if the quality is low, even if it’s filled with tons of weird ads.

They simply can’t discern between what’s ok and what’s not. They haven’t been educated on this subject and, therefore, they are clueless.

We’re not going to get into the moral and legal sides of the problem. All we’re saying is that torrents and other sources of pirated materials can be a threat to your data.

What your employees should do:

Ransomware can be served through advertising networks, even on big websites. It exploits the vulnerabilities from websites, browsers, browsers plugins and outdated software, in order to infect your system. That why it’s important that you instruct your employees to:

Never deactivate the antivirus software.

Keep their software updated, especially the web browser.

Install an adblocker.

Disable the vulnerable browser plugins and add-ons, such as Java and Flash Player.

Never postpone to report if their PC starts acting weird.

What does “acting weird” mean? Well, it can be anything, from running slower than usual, fan going into overdrive without any obvious reason, or showing unexpected error messages.

These could all be signs that indicate that your computer is infected with some kind of malware or is used in a botnet.

Botnets are networks of computers, controlled and instructed by cyber attackers to do bad things. They can be used to attack other PCs, send spam and phishing, deliver ransomware, spyware, etc – and all these without the user having even the slightest idea about it.

What your employees should do:

Pay attention to the way their devices work and immediately report if they notice anything suspicious.

In the case of a security breach, it would be best if they reported ASAP: that way, the damage would be better controlled. Besides, you can’t sweep the dirt under the rug – it will get out, eventually.

Of course, it might also be true that there’s been no attack and your PC is just old and needs an update – but it’s better to be safe than sorry, right?

Unfortunately, the current situation is bad: according to CISCO Annual Security Report 2018, adware and browser injections are among the most difficult threats to detect: more than 200 hours.

The problem is that the employees are embarrassed, ashamed or they simply don’t want to bother the IT guys.

It’s best if they comprehend that as soon as they report, the better. And let them know that they won’t be penalized, so they won’t fear to report.

It would also help if there would only be one person responsible for reporting these, where they can go to.

Never use unsecure devices or networks.

In the quest for a better work environment and keeping their employees satisfied, most companies allow them to work from home, from their own devices. Laptops, smartphones, tablets, no matter the operating system, they are all vulnerable to cyber attacks. Increased mobility and work flexibility comes with increased security risks.

A recent report shows that 67% of organisations had a data breach as a result of employees using their mobile phones to access the company’s data. That’s why it’s important that employees only use authorized phones (and PCs) to log into their accounts and access sensitive information.

What your employees should do:

Try to only access sensitive data from their verified and controlled work devices. They also shouldn’t connect to unsecure public, free wireless networks.

Ask them to use a VPN – that’s a Virtual Private Network that secures and encrypts the internet traffic. It will add an extra security layer and reduce the exposure to attacks.

They can also take a quick glance over our guide for using their own device at work.

Never insert foreign USBs or external hard-drives in the PC or laptop.

They might seem innocent, because of their common nature, but they could still be infected with viruses, malware, trojans or keyloggers.

What your employees should do:

The safest solution would be to never insert any external drive into their device. However, it’s unlikely that they will follow such a rule.

The next best thing to do is to disable the Auto-Run for when they plug in the external drive and use an antivirus software to scan it.

Never postpone reporting if their device was lost or stolen.

No matter if it’s a laptop, a smartphone, external hard-drive or just a plain USB.

What your employees should do:

This goes hand in hand with the previous point, on why they should immediately report if their device starts acting weird.

The problem is most employees fail to report because they’re ashamed or afraid they will be punished. Tell them that, in case anything like this ever happens, it’s best that they report as soon as possible, so that you can control the damage.

A stolen device can give intruders access to your company’s confidential and sensitive data – from contracts to vendors and employees tax forms.

Never neglect their passwords habits.

Even though passwords are no longer enough to stand the latest, evolved cyber threats, it’s still important that your organisation keeps good password habits.

What your employees should do:

Set strong passwords. They should be longer than 14 characters, have mixed upper and lower cases, symbols and digits.

Never recycle the passwords they use for their accounts. Just like they don’t use the same key for their car, office and house, they shouldn’t use the same password for more than one account.

Never share their passwords with their colleagues.

Change the passwords constantly. Most people have lots of accounts, so that could prove to be a huge hassle. One way to solve this is to use use a password management tool, such as LastPass. This way, they’ll only have to remember one password, the master password to the LastPass account. Ask them to never write passwords down or keep them in a file on their device, in a text message on the phone, mail draft or on any other account.

If available, it’s best that they activate two-factor authentication for their accounts. This will add an extra layer of security, besides passwords.


The problem with everything that we wrote here? A lot of people already know the theory. They are good at it, they know all about proper security and privacy measures.

Where they fail is the part of applying all this knowledge. There’s a huge gap between knowing what we should be doing to protect our data, and what we actually put in practice.

Help them acknowledge how close a potential threat really is. Ask yourselves:

What are the odds of a data breach or a ransomware attack to happen to us?

Do we fully comprehend the repercussions to each and every security measure that we overlook?

Leave a Reply

Your email address will not be published. Required fields are marked *