As Cybersecurity Awareness Month wraps up, it’s worth mentioning that employee security awareness training is an ongoing process. Employee error remains a significant contributing factor in data breaches. According to the 2022 Verizon Data Breach Report, “74% of all breaches include the human element… error, privilege misuse, use of stolen credentials or social engineering.” While regular phishing simulations may help reduce the risk of clicking on a phishing email, security awareness training should also cover topics such as password management, safe Internet use, data retention and disposal, working remotely, and mobile device security. While not technically security-related, training employees on the proper use of the organization’s systems, devices, and workplace tools may help minimize inadvertent misuse that can create a vulnerability.
To close out Cybersecurity Awareness Month, here are a few tips for the workplace:
Employees have been trained to password protect spreadsheets containing sensitive information before emailing or forwarding. However, spreadsheets that appear to contain non-sensitive information can be deceptive since sensitive data can reside on untitled tabs or be hidden by filters. In a recent data breach, the publication of a spreadsheet containing non-sensitive statistics resulted in an unauthorized disclosure of personally identifiable information included on a separate tab containing sensitive source data. Training employees on how to properly use and review a spreadsheet, requiring a second set of eyes to review the spreadsheet before sending, or sending a .pdf of the spreadsheet may help minimize the risk of an unauthorized disclosure.
Compromised credentials are a growing cause of cybersecurity incidents including business email compromises. Practicing strong password management is essential to protecting an organization’s sensitive information. At a minimum, employee passwords should be changed frequently on a predetermined schedule, not shared with co-workers, and not reused, recycled, or used across accounts. While password security seems obvious, security training awareness should include reminders about password best practices. In addition, passwords should consist of at least 13 characters including upper and lower case letters, characters, and numbers. According to Hive Systems, a 10-character password consisting of numbers, upper and lower case letters can be cracked in 22 minutes using CHATGPT hardware.
- Collaborative tools and communications platforms.
The use of collaboration tools in the workplace continues to grow. They also present risk. Organizations should consider providing employees with a whitelist of approved tools and implementing policies for permitted use as well as prohibited activities such as sharing passwords or sending sensitive data. Employee training can include proper use of authorized tools, creating secure accounts, and recognizing privacy risks.
- Email retention.
Retaining personally identifiable information for longer than needed creates a greater risk of unauthorized access or disclosure in the event of a cyberattack or business email compromise. This includes email accounts. A threat actor accessing an email account to commit wire transfer fraud will likely gain access to the contents of the account, including any sensitive information, in the process of doing so. In the absence of an email retention policy, email accounts can accumulate a significant amount of data and unauthorized access to sensitive data may constitute a reportable data breach. Organizations should ensure data retention and disposal policies and procedures address email accounts. Emails containing sensitive information should be promptly moved from the user’s email account to a secure location and important emails or records should be archived consistent with the organization’s data retention and disposal policy and schedule. Any email retention policy should be drafted to consider applicable law and potential litigation hold requirements. Employee training on email retention practices can help minimize the risk of a reportable data breach.
Regular employee training – cybersecurity and threat awareness, data protection principles, and proper use of company tools and devices – continues to be one of the best defenses and helps make Cybersecurity Awareness Month every month.
If you have questions about developing cybersecurity policies and procedures or training, reach out to a member of the Jackson Lewis Privacy, Data, and Cybersecurity Team.