An information security guide can help minimize related errors, but writing one from scratch is quite challenging. To that end, we offer a general plan, a basic guide to which you can add points specific to your company and its rules and regulations. In our opinion, this is a standard; it includes the necessities and needs only personalization. Once you’ve tweaked it as needed, don’t just file it away: Show it to all new employees and bring it to the attention of established staff as well.
Access to corporate systems and services
- Use strong passwords for all accounts — at least 12 characters long, containing no words in the dictionary, and including special characters and numerals. Attackers can brute-force simple passwords easily.
- Create a unique password for every account. If you reuse passwords, then a leak in one service could compromise the others.
- Keep passwords secret, without exception. Do not write them down, do not save them in a file, and do not share them with colleagues. A random office visitor or a dismissed colleague could use your password to harm the company, for an obvious danger, but the possibilities for damage are practically limitless.
- Enable two-factor authentication for every service that allows it. Using 2FA helps prevent an attacker from gaining access to the service even in the event of a password leak.
- Shred documents for disposal instead of simply throwing them away. Personally identifiable information in a trash can guarantees attention from regulators and hefty fines.
- Use secure channels to exchange files containing personal data (for example, share Google Doc documents with specific colleagues, not via “anyone with the link” option). Google, for example, indexes documents that anyone on the internet can view, meaning they can appear in search results.
- Share clients’ personal data with colleagues on a strict need-to-know basis. Beyond causing trouble with regulators, sharing data increases the risk of data leakage.
- Check links in e-mails carefully before clicking, and remember that a convincing sender name is no guarantee of authenticity. Among cybercriminals’ many tricks for getting people to click on phishing links, they may tailor messages to your business specifically or even use a colleague’s hijacked account.
- For budget managers: Never transfer money to unknown accounts solely based on an e-mail or direct message. Instead, directly contact the person who supposedly authorized the transfer to confirm it.
- Leave unknown flash drives alone; don’t connect found media to a computer. Attacks through infected flash drives are not just the stuff of science fiction — cybercriminals can and have planted malicious devices in public and in offices.
- Before opening a file, check to make sure it is not executable (attackers often disguise malicious files as office documents). Do not open and run executable files from untrusted sources.
- Whom to contact — name and phone number — in case of suspicious e-mail, weird computer behavior, a ransomware note, or any other questionable issues. That might be a security officer, a system administrator, even the business owner.
Those are the very basics — the stuff everyone at every company needs to know. For greater awareness of modern cyberthreats, however, we recommend special training.