10 cybersecurity best practices that every employee should know
If you’re an employee, you are on the front lines of information security. Your company may have comprehensive cybersecurity policies for you and coworkers to follow. But even with these protections, it’s important to stay on guard to help assure your company’s data and network are safe and secure.
Does it make a difference if you work for a small or midsize company? Hackers often target large organizations, but smaller organizations may be even more attractive. Why? Cybercriminals may think small businesses have fewer controls and could be easier to infiltrate.
Your company may have the best security software and most comprehensive office policies, but your actions play a big part in helping to keep data safe. Consider this: A single employee could make a mistake by sharing sensitive company information on their smartphone or clicking on a corrupt link — and that could lead to a data breach.
When you work at a small or midsize company, it’s smart to learn about cybersecurity best practices. If you educate yourself about the small things that contribute to cybersecurity, it can go a long way toward helping to protect your organization.
10 cybersecurity best practices
Cybersecurity best practices encompass some general best practices — like being cautious when engaging in online activities, abiding by company rules, and reaching out for help when you encounter something suspicious. Here’s a deeper dive into the 10 cybersecurity best practices for businesses that every employee should know and follow.
1. Protect your data
In your daily life, you probably avoid sharing personally identifiable information like your Social Security number or credit card number when answering an unsolicited email, phone call, text message, or instant message. It’s important to exercise the same caution at work. Keep in mind that cybercriminals can create email addresses and websites that look legitimate. Scammers can fake caller ID information. Hackers can even take over company social media accounts and send seemingly legitimate messages.
It might sound obvious, but it’s important not to leak your company’s data, sensitive information, or intellectual property. For instance, if you share a picture online that shows a whiteboard or computer screen in the background, you could accidentally reveal information someone outside the company shouldn’t see.
By the same token, be careful to respect the intellectual property of other companies. Even if it’s accidental, sharing or using the IP or trade secrets of other companies could get both you and your company into trouble.
Your company can help protect its employees, customers, and data by creating and distributing business policies that cover topics such as how to destroy data that’s no longer needed and how to report suspicious emails or ransomware.
2. Avoid pop-ups, unknown emails, and links
Beware of phishing. Phishers try to trick you into clicking on a link that may result in a security breach.
Phishers prey on employees in hopes they will open pop-up windows or other malicious links that could have viruses and malware embedded in them. That’s why it’s important to be cautious of links and attachments in emails from senders you don’t recognize. With just one click, you could enable hackers to infiltrate your organization’s computer network.
Here’s a rule to follow: Never enter personal or company information in response to an email, pop-up webpage, or any other form of communication you didn’t initiate. Phishing can lead to identity theft. It’s also the way most ransomware attacks occur.
Your company can help by employing email authentication technology that blocks these suspicious emails. You’ll usually be notified that the email has been sent to a quarantine folder, where you can check to see if it’s legitimate or not.
Be cautious. If you’re unsure about the legitimacy of an email or other communication, always contact your security department or security lead.
3. Use strong password protection and authentication
Strong, complex passwords can help stop cyberthieves from accessing company information. Simple passwords can make access easy. If a cybercriminal figures out your password, it could give them access to the company’s network. Creating unique, complex passwords is essential.
A strong password contains at least 10 characters and includes numbers, symbols, and capital and lowercase letters. Companies also should ask you to change your passwords on a regular basis. Changing and remembering all of your passwords may be challenging. A password manager can help.
Companies may also require multi-factor authentication when you try to access sensitive network areas. This adds an additional layer of protection by asking you to take at least one extra step — such as providing a temporary code that is sent to your smartphone — to log in.
4. Connect to secure Wi-Fi
Office Wi-Fi networks should be secure, encrypted, and hidden. If you’re working remotely, you can help protect data by using a virtual private network, if your company has one. A VPN is essential when doing work outside of the office or on a business trip. Public Wi-Fi networks can be risky and make your data vulnerable to being intercepted.
But keep in mind, some VPNs are safer than others. If your company has a VPN it trusts, make sure you know how to connect to it and use it. Norton Secure VPN provides powerful VPN protection that can help keep your information private on public Wi-Fi.
5. Enable firewall protection at work and at home
Having a firewall for the company network and your home network is a first line of defense in helping protect data against cyberattacks. Firewalls prevent unauthorized users from accessing your websites, mail services, and other sources of information that can be accessed from the web.
Don’t just rely on your company’s firewall. Install one on your home network if you work from home. Ask your company if they provide firewall software.
6. Invest in security systems
Smaller businesses might hesitate when considering the cost of investing in a quality security system. That usually includes protections such as strong antivirus and malware detection, external hard drives that back up data, and running regular system checks. But making that investment early could save companies and employees from the possible financial and legal costs of being breached.
All of the devices you use at work and at home should have the protection of strong security software. It’s important for your company to provide data security in the workplace, but alert your IT department or Information Security manager if you see anything suspicious that might indicate a security issue. There may be a flaw in the system that the company needs to patch or fix. The quicker you report an issue, the better.
7. Install security software updates and back up your files
Following IT security best practices means keeping your security software, web browsers, and operating systems updated with the latest protections. Antivirus and anti-malware protections are frequently revised to target and respond to new cyberthreats.
If your company sends out instructions for security updates, install them right away. This also applies to personal devices you use at work. Installing updates promptly helps defend against the latest cyberthreats.
Cyberthreats often take aim at your data. That’s why it’s a best practice to secure and back up files in case of a data breach or a malware attack. Your company will probably have rules about how and where to back up data. Important files might be stored offline, on an external hard, drive, or in the cloud.
8. Talk to your IT department
Your IT department is your friend. Reach out to your company’s support team about information security. You might have plenty to talk about.
It’s a good idea to work with IT if something like a software update hits a snag. Don’t let a simple problem become more complex by attempting to “fix” it. If you’re unsure, IT can help.
It’s also smart to report security warnings from your internet security software to IT. They might not be aware of all threats that occur.
It’s also important to stay in touch when traveling. Let your IT department know before you go, especially if you’re going to be using public Wi-Fi. Have a great trip — but don’t forget your VPN.
Remember to make sure IT is, well, IT. Beware of tech support scams. You might receive a phishing email from someone claiming to be from IT. The goal is to trick you into installing malware on your computer or mobile device, or providing sensitive data. What to do? Don’t provide any information. Instead, contact your IT department right away.
9. Employ third-party controls
Here’s a fact that might be surprising. It’s common for data breaches to begin from within companies. That’s why organizations need to consider and limit employee access to customer and client information.
You might be an employee in charge of accessing and using the confidential information of customers, clients, and other employees. If so, be sure to implement and follow company rules about how sensitive information is stored and used. If you’re in charge of protecting hard or soft copies, you’re the defender of this data from unauthorized third parties.
Companies and their employees may also have to monitor third parties, such as consultants or former employees, who have temporary access to the organization’s computer network. It’s important to restrict third-party access to certain areas and remember to deactivate access when they finish the job.
10. Embrace education and training
Smart companies take the time to train their employees. Your responsibility includes knowing your company’s cybersecurity policies and what’s expected of you. That includes following them. If you’re unsure about a policy, ask.
Here’s an example. Maybe you wear a smart watch at work. It’s important to protect personal devices with the most up-to-date security. You’ll also want to know and follow your company’s Acceptable Electronic Use (AEU) policy. When you Bring Your Own Device — also known as BYOD — ask your IT department if your device is allowed to access corporate data before you upload anything to it. Always be sure to use authorized applications to access sensitive documents.
A little technical savvy helps, too. Learning the process for allowing IT to connect to your devices, along with basic computer hardware terms, is helpful. That knowledge can save time when you contact support and they need quick access and information to resolve an issue.
If you want to back up data to the cloud, be sure to talk to your IT department first for a list of acceptable cloud services. Organizations can make this part of their AEU policy. Violation of the policy might be a cause for dismissal.
You can prevent a data breach
Having the right knowledge — like the 10 cybersecurity best practices that every employee should know — can help strengthen your company’s breach vulnerabilities. Remember: just one click on a corrupt link could let in a hacker. Just one failure to fix a flaw quickly could leave your employer vulnerable to a cyberattack.
It’s part of your job to engage in safe online behavior and to reach out to your IT department when you encounter anything suspicious or need help.
Staying on top of these cybersecurity practices could be the difference between a secure company and one that a hacker might target.
More than 50 million customers trust Norton with their personal information.
Your partner against cyber threats. Norton 360™ with LifeLock™, all-in-one protection against evolving threats to your connected devices, online privacy and identity.
Try Norton 360 with LifeLock. Post, bank and shop from your device. We’ll keep it secure.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.
No one can prevent all identity theft or cybercrime. Not all products, services and features are available on all devices or operating systems. System requirement information on norton.com.
*Important Subscription, Pricing and Offer Details:
- The price quoted today may include an introductory offer. After that, your membership will automatically renew and be billed at the applicable monthly or annual renewal price found here.
- You can cancel your subscription at my.norton.com or by contacting Member Services & Support. For more details, please visit the Refund Policy.
- Your subscription may include product, service and /or protection updates and features may be added, modified or removed subject to the acceptance of the Customer Agreement.
The number of supported devices allowed under your plan are primarily for personal or household use only. Not for commercial use. If you have issues adding a device, please contact Member Services & Support.
§ Dark Web Monitoring in Norton 360 plans defaults to monitor your email address only. Please login to the portal to review if you can add additional information for monitoring purposes.