Cybersecurity isn’t the sole responsibility of IT. Good cybersecurity is a collaborative effort between IT staff, managers, and employees. If you’re a manager overseeing multiple staff members, it’s your responsibility to ensure that your people understand corporate cybersecurity policies. Cybersecurity staff can set up policies and simulations to test human vulnerabilities, but they can’t enforce policies without your help. Here are a few ways you can help protect corporate assets within your department.
Help Users with Phishing Detection
It’s not a matter of “if” your company is targeted by phishing. It’s a matter of “when.” Your users should know what to look for when they read and respond to email messages. A good managed service provider (MSP) should offer email filtering to stop malicious messages, but it’s possible that the solution returns a false negative. In the unlikely event that an email slips through, users should know to ask questions rather than act without hesitation.
Think your IT is in good shape?
Take the free 3-minute readiness quiz
Your MSP can perform phishing simulation attacks where users are flagged for interacting with a phishing email. As a manager, you can help guide your users through phishing identification. Here are some phishing red flags:
- The sender conveys a sense of urgency and pushes for immediate action
- Links to an external site where the recipient must authenticate
- Requests for emergency money transfers or gift cards
- Poor grammar or spelling – although this is eliminated with AI generated content
- Attachments with macros or executable content
While a good email filtering solution should block many of these messages, users are your last line of defense. Educating them on common phishing scams will empower them to recognize a phishing email from a legitimate message.
Practice Password Protection
Users with elevated permissions are more valuable to cyber-criminals, but attackers also target low-privileged users and launch lateral moves to elevate their privileges using a series of phishing and malicious executables. Keeping credentials private ties in with avoiding a phishing attack, but users should also avoid malicious websites, use cryptographically secure passwords, and rotate their passwords regularly.
IT staff can force users to change their passwords every month or two, and they can force users to create a cryptographically secure password, but they can’t stop users from entering their credentials on malicious websites, especially if users do it on their personal computers. As a manager, you can train your employees to be wary about entering sensitive data into unknown sites.
A good example is phishing pages made to look like SSO (single sign-on) pages. For example, suppose your organization uses Google Workspace as its provider, and users authenticate using a Google login page. Scammers use pages that look like the standard Google login prompt to trick users into entering their credentials. If you don’t have two-factor authentication (2FA) enabled, users have just given cyber-criminals access to their corporate account.
Users should be encouraged to look at the domain before entering credentials. Phishing domains often have the official brand in the name with added words or letters to make it look official, or they own a domain with a slight misspelling. Instead of clicking links and authenticating, type the official domain in your browser and authenticate there.
Here are a few protection steps users can follow:
- Look at the spelling of the domain name to ensure it’s not a misspelling
- Don’t click links from email messages. Instead, type the domain into your browser.
- Check for extra letters in a domain name. For example, login-company.com vs. the official company.com domain.
Be Suspicious of Calls Asking for Money or Credentials
Along with phishing, social engineering is also an effective way for cyber-criminals to steal data or money. Social engineering is paired with phishing in more sophisticated attacks. Users might first receive an email and then a followup call to get an immediate response. These sophisticated attacks often ask for money transfers, so they target financial employees. Users should stop and verify rather than allow the caller to rush them into making any rash decisions.
As a manager, you can train your employees to follow procedures regardless of the caller’s urgency. With AI, employees should also be aware that callers could use AI to sound like someone familiar, like the CEO or an employee’s boss. Train your employees to always ask and verify, especially when the caller is making an unusual request.
Suggested Read: What is Hashing In Cybersecurity?
Leave Unknown USB Devices Alone
Here is a tip many experts forget to tell employees – don’t insert unknown USB flash drives into a corporate computer. Starting around 2023, cyber-criminals began increasing their use of USB drives and building malware specific for flash drives. Criminals might place the USB drive in a place commonly frequented by your employees or somewhere next to your office building.
When the employee inserts the USB into their computer, the malware is programmed to automatically load. By this time, it’s too late unless you have great antivirus software that catches it. Antivirus can’t catch every attack, so it’s possible that the malware executes and delivers its payload. The payload could be a trojan, a rootkit, ransomware, or any number of malicious payloads.
As a manager, you should also be aware of the dangers of malicious flash drives. Don’t put them in office workstations. If one is found onsite, ask IT to look into it or wait for someone in security to analyze it.
Direct Cybersecurity Questions to Professionals
If you’re the manager of a small business, it can be hard to deal with IT concerns as well as handle your own work-related productivity. Instead of handling cybersecurity, a managed service provider will take care of the IT helpdesk, employee questions, cybersecurity infrastructure, and protecting your data. You still need to help educate employees, but an MSP can also help with the right education tools, simulations, and documentation.
If managing cybersecurity is getting too overwhelming for you, see what Corporate Technologies can do to lessen your workload and bring your business to where it needs to be. Contact us today.
FAQs
Yes, without a policy and cybersecurity education, users might not be able to identify and manage common threats like phishing and social engineering.
Email filtering solutions will block many of the common phishing attacks, reducing your risk of being a victim of a data breach.
Social engineering calls usually try to rush a targeted user and convince them to skip any kind of verification, like validation a user’s identity or ensuring a money transfer is authorized.
Do not insert the USB device into your computer. Instead, hand it over to an IT staff member or have a cybersecurity professional look into its content.
An MSP will show users how to identify social engineering, phishing, and other threats. Your business must still have a cybersecurity policy and continue educating users as threats evolve.
Download the Cybersecurity & Managed IT Services case study for an HVAC & Plumbing Contractor (PDF)
