Cybersecurity: best practices to follow
The majority of cyber attacks start with an unfortunate act posed by an employee who got tricked into doing it. Adopt these five best practices to act in a safe and prudent manner that will protect both the company you work for and the confidential and personal information you handle.
Cybersecurity is a daily concern for all businesses around the world. As mentioned in a previous article, it should also be everyone’s responsibility within each company. Here are some concrete steps you can take as an agent, broker or claims adjuster to reduce the risk of cyber incidents.
- The longer the better. The longer and more complex a password is, the harder it will be to crack. Some standards even recommend that user passwords be at least 16 characters long and 25 characters or more for privileged accounts.
- Use a random sequence of characters. Dictionary words, consecutive keystrokes, logical sequences and letters replaced with numbers that look like them are often listed in password dictionaries.
- Choose unique passwords. Where a stolen password is used for multiple accounts or services, the potential for damage is multiplied.
- Use a password manager. In a hyperconnected world like ours, the number of passwords to remember is difficult to manage. Ask the person in charge of IT security in your company which password manager you can use. They are very useful for generating unique passwords and saving them securely. It is also likely that your employer has a multi-factor authentication system in place to connect you to your company’s network or system. This is an additional layer of security that has become essential to ensure that it is really you who is trying to log in.
To learn more, here are publications from the Canadian Centre for Cyber Security:
Any type of website—social media, known retail website, banking website, technical support website, utility website—may have been counterfeited, just like any type of email attachment—text document, spreadsheet, photo, audio file—can be compromised. Even 2D barcodes or QR codes embedded in emails or on websites can lead to fraudulent websites.
When you receive an email, look out for these phishing attempt red flags:
- Do the name and email address match the supposed sender? Do they contain additional letters or numbers that shouldn’t be there?
- Is the company logo blurry, inaccurate or disproportionate?
- Does the message itself contain urgent or threatening language? Is the formatting and layout adequate? Are the spelling and wording questionable?
- Do the links really correspond to those of the supposed sender? Before clicking on a link, hover over it with your mouse cursor to bring up the pop-up information box. If you don’t recognize the link (URL), if it contains an error or if you have any other doubts, don’t click on it.
- Attachments: If the email contains an attachment that you aren’t expecting; if it has a strange name, if it isn’t related to the message or if the file type is unusual, don’t download it.
If your employer has an email scanning service, use it to authenticate any suspicious or unusual emails. Otherwise, delete any email that looks suspicious. If it was important, the sender will either re-send it or communicate with you. Being overly suspicious will often be far less consequential than breaking the security of your company’s network by downloading a corrupt document or clicking on a malicious link would be.
Note that phishing is increasingly done through text messages received on cell phones—the same precautions apply.
Cybercriminals are very adept at counterfeiting websites, using the same or similar logos and graphic elements as those used by the legitimate owner. There are always small clues, such as language errors, low-resolution images, inconsistent domain names containing an extra number or unusual letter, for example, or a URL that is usually secure with HTTPS or a padlock in front of the address that isn’t as it should be.
A company usually puts much effort and care into its website: If you notice a lack of perfection or quality not on par with the organization’s normal standards, it is very likely that the website is counterfeit.
Public or shared computers, such as those in libraries, airports and cyber cafés, or even your teenager’s computer, are often extremely vulnerable. They may not have anti-virus and anti-malware or an adequate firewall, or they may not be up to date. Avoid using them to log into your accounts.
Mobile devices (cell phones and tablets) are often a prime target for cybercriminals. If you use them, stay alert and, where possible, use the same security practices as you would on a computer. Install anti-virus and anti-malware software and a firewall.
Enable password-protected screen lock after a few minutes of inactivity on your mobile devices. This way, should your device be lost or stolen, accessing its contents will be more difficult. It can also be helpful to have the device’s location and remote data deletion feature enabled.
Finally, ask your employer about their policies and guidelines on the use of personal devices for work and make sure to follow them.
Whether you work from home temporarily or permanently, you may be accessing your company’s network remotely using a virtual private network (VPN). “You can think of a VPN as a tunnel. By using this tunnel, you can send and receive data more securely.” It provides remote access with an extra layer of protection because the data is secured and encrypted, both upon sending and receipt.
However, make sure that the network you use to connect to your VPN is also secure. For example, avoid free Wi-Fi access points: Many are actually fake access points whose only purpose is to allow cybercriminals to intercept information exchanged during browsing or infiltrate your device with malware. If you don’t need to use the Internet, you can disable your Wi-Fi connectivity.
Use only trusted networks to connect to your email, bank accounts and even social media.
Social media, a source of information for cybercriminals
Social media can make it easy for cybercriminals to steal identities and take part in social engineering by providing seemingly mundane information that can prove crucial in an attempt to commit psychological hacking or social engineering fraud. In this type of attack, the cybercriminal will use information to impersonate a client, a colleague, your manager or a company you do business with in order to trick you into revealing a password, sensitive or confidential data, financial information, and so forth. For advice on the use of social media, read our Tip Sheet on Using Social Media in Your Professional Practice.
Did you know that keeping your physical work environment tidy is just as important for cybersecurity? No confidential information, including passwords, should be easily accessible or left in view of anyone who may be in your work environment.
The mishap that international television channel TV5 Monde had in 2015 perfectly illustrates the risks of not having a clean desk. Viewers of the French news broadcast obtained the passwords of several of TV5 Monde’s social media accounts. The passwords were posted on the channel’s office walls and were captured by cameras during a report in which TV5 journalists were being interviewed in the aftermath of a cyber attack by a terrorist organization.
Keeping your workspace tidy and sensitive information or confidential documents in a secure location reduces the risk of cyber incidents, information or identity theft and industrial espionage, for example.
Learn more about good cyber security habits
Learn more about good cyber security habits in our training course called Sensibilisation à la sécurité de l’information (AF1017) [information security awareness, in French only] offered in partnership with the Regroupement des cabinets d’assurance du Québec (RCCAQ).