"I don’t put personally identifiable information on my social media account, not even my birthday. So, if I use the same password in multiple places, it doesn’t matter."
“I make sure to have different categories of passwords for work, personal financial, and social media sites so that I can remember them.”
“I use random passwords generated by my browser and have then use the browser’s autofill.”

Chances are that at some point in your login life, you’ve believed at least one of the above statements to be true. Unfortunately, even if one of them was true last year, it no longer protects you today.

Although some security professionals condescendingly proclaim that “end users are your weakest link,” they prefer to complain rather than empower. Empowering employees through meaningful security training allows you to create stronger internal information security controls while also creating a corporate culture focused on cybersecurity best practices. What are the risks to my data environment?
Malicious actors breaching firewalls make the news because they’re scary events. However, the majority of breaches actually come from weak employee credentials. According to a Spycloud report, account takeover was the most common cause of cyber breaches in 2017. Employee password hygiene is alarming:

  • Employees over 55-years-old have 12 passwords
  • Millennial employees have 8 passwords
  • Gen Z employees have 5 passwords
  • 59% of people use the same password everywhere

As an employer, you face a larger risk of a data breach from poor employee password management practices than you do from a hacker getting through your firewall. In fact, a recent security audit of the Western Australian government found: 26% of officials used weak, common passwords

  • Over 5,000 out of 234,000 users included “password” in their password
  • Nearly 13,000 used a version of “date and season” (Augst2017, Spring2017)
  • Almost 7,000 included “!23” in them somewhere

What did this mean? That an auditor managed to gain access to the government’s entire network by guessing “Summer123.” Why are employee password practices a threat?With more applications requiring passwords, employee password retention practices put your business at risk more than ever.  According to 2016 Pew Research Center data, most people don’t maintain secure protection over their passwords even if they do try to change them:

  • 86% of people track their passwords mentally
  • 49% write down some passwords on paper
  • 18% rely heavily on writing passwords on paper
  • 24% use digital notes or documents on a device
  • 12% use password management software
  • 3% rely on password management software for storing passwords

Employees that rely primarily on memorization for an ever-increasing number of password needs means they likely reuse passwords across secure and unsecure locations. An employee using the same password for your system access and their Netflix account can also leave you at risk of a data breach.

Five Steps to Empowering Employee Security

While employees do represent the riskiest part of your security efforts, treating them as the “weakest link” in your information security program only reinforces their  unhealthy cyber behaviors. To protect your environment, you need to treat your employees with respect and have confidence in them. To do that, you need to give them the tools that enable good cybersecurity practices.

Make It Personal

Flu shots are similar to cyber hygiene. Many companies offer flu shots in the workplace to protect the business from a flurry of absent employees. While your employees may be dedicated to their jobs, they are more likely to get a flu shot to protect their families’ health. Cyber hygiene works the same way.
Employees worry about compromising their own data, but they often feel no control over outsider activities. Connecting your cybersecurity training to your employees’ personal lives makes cyber hygiene relevant. Explain to them the relationship between personal data security and workplace cyber issues, and you’ll get their attention. Employees who are made aware of best information security practices at home are more likely to have strong overall cyber hygiene habits that transfer to your office.

Make It Simple

More than anything else, most people find cybersecurity's jargon overwhelming. Phishing, malware, and ransomware may be part of today’s tech lingo, but SQL injection, cross-site scripting, exploit, vulnerability, and lines of green code on black screens move outside most users’ comfort zones.
Employees need to understand the problems, not the terminology.

  • Constant Vigilance: Always be suspicious of messages that you’re not expecting, whether via email, text, or social media messenger.
  • Trust but Verify: If you see a link in an email, hove your cursor over it to see where it directs. If you don’t recognize it, then just delete!
  • Lock It Down: Login information and passwords are like treasure. Lock them down and don’t share them, not even the Netflix password. Since employees use similar passwords across their home and work environments, a shared Amazon password can put their work accounts at risk even if they don’t realize it.

Use Multi-Factor Authentication (MFA)

Most people hate multi-factor authentication. It’s a pain. It means having to remember extra information or keep a token with you. It means you have to wait until that text comes through or make sure you can access the email, but it is increasingly considered a “best practice.”
You can make employees use MFA at work, but explaining the reason for it as “making sure you are who you are” drives healthier cyber behaviors.  Where you can, using a single-sign-on or identity management system eases the process for employees. It also acts as a “positive role model” for choosing to create  new accounts using Google logins rather than adding another password to manage.

Teach Passphrase Not Password

Passwords are so passé. When people imagine “hackers breaking passwords,” they think about people in hoodies at a computer typing and typing different combinations and code for hours. In reality, modern hackers purchase software off the dark web. These programs often include dictionaries of the most commonly used passwords, brute force attacks that run through the variety of alphanumeric character combinations, or rainbow tables that manipulate encrypted usernames and password combinations.  “Choose a password” options use the same types of algorithms that hackers use to break them. Therefore, “kq21#by67QPm” isn’t really that safe.

However, personalized passphrases don’t rely on logic meaning that math has a harder time figuring them out. Creating a safe password means thinking of a phrase, then manipulating it with numbers and special characters. For example:

Phrase: Myfirstdogwasrufus
Changes: a becomes @ i become 1 o become 0 s become $ New Passphrase: Myf1rstd0gw@srufu$
This contains a non-random assortment of that letters, numbers.  unique characters that both safer and easier to remember.

Create a Company Culture of Cyber Hygiene

Just as schools create a culture of physical hygiene, companies need to establish a culture of cyber hygiene. At every level of education, schools put up posters reminding kids to cough into their elbows or wash their hands. Yet, the same reminders for cyber health people forget.
Reminding employees about good cyber hygiene can be as simple as monthly emails, funny pictures, or posters around the breakroom. Making the reminders entertaining makes the more memorable as well as making cybersecurity more approachable.

Zeguro’s Training Enables Employee Empowerment

In the fight against malicious actors, “knowing is half the battle.” Social engineering is the greatest threat to small and medium-sized businesses. Zeguro’s monthly training on security basics and compliance let your employees understand the role they play in cyber safety, and allow them to take control over their data and practices. From understanding multi-factor authentication  to experiencing phishing simulations, they can practice outwitting a hacker and gain the confidence necessary to keep the company’s digital assets secure.