Information security awareness best practices

Consider common schemes, remote work risks, password security, and more.

October 5, 2020

Cyber threats occupy matrixed attack vectors across numerous organizational assets, making it vital to have a layered security program that implements physical, technical, and administrative controls.

Here, in honor of National Cybersecurity Awareness Month, are some common threats enterprises face in the novel work environments of 2020.

Phishing, smishing, and vishing

Phishing and smishing, social engineering attacks delivered through email and SMS text messages, respectively, are the most frequent threats impacting organizations today.

The increased use of personal devices stemming from unexpected work-from-home environments, coupled with national economic and political volatility, have dramatically increased the success rate of social engineering attacks.

The general rule of never clicking a link or opening a file enclosed in a message before validating the sender remains the foundational principal of a strong defense.

Always double check before interacting with digital media, and report phishing messages in accordance with your organization’s security policies.

Vishing—deception over the phone to gain sensitive information—is a tactic used by many bad actors to get nonpublic information from a person or organization. If you receive an unsuspecting call, never give out any personally identifiable information.

The same rules that apply for phishing and smishing also apply for vishing: verify the phone call before giving away any information about yourself. Bad actors will use any information possible to compromise a person or organization for malicious purposes.

Let’s get technical

Ransomware and malware may be out of the hands of the average employee at an organization, but there are still ways to detect if a virus has infected your device without deep information technology (IT) expertise.

If your computer has excessive pop-ups or is running unusually slow, you may have a form of malware on your computer.

Malware is primarily delivered through phishing attacks. If you suspect your company device may be infected, inform your IT department immediately so they may take the appropriate steps to contain and mitigate the event.

Working from home

The volatility of current events, uncertain economic outlook, and the global pandemic create opportunities for cyber criminals.

Work-from-home environments expose new vulnerabilities employees need to be aware of, including family members, neighbors, home break-ins, and at-home wireless networks.

Allowing family members or other people you live with to use your work devices could be potentially damaging to your organization. There is the chance that person could affect sensitive information you have on your computer, even if by accident.

In this case, it is best to use your work devices for work only and not let family members, roommates, or anyone else use them.

Remember, if you can hear your neighbors through the walls, they can also hear you. If you are discussing sensitive information, be aware of how loud you are talking and who could potentially hear you.

Also, keep your devices physically secure: routers, switches, IoT devices, personal computers, smartphones, and more. You can never be too safe, so take extra precautions such as locking away your devices to prevent theft and never leaving work devices in your vehicle.

In the rare case that you must, store the devices in a locked case and ensure it is hidden from view. Doing so may not prevent a thief from taking the case, but the lock presents one more layer of defense against cybercrime.

An often overlooked vulnerability is your at-home wireless network. If a bad actor can access your Wi-Fi, there are many tools they could use to spy on your internet traffic.

Thankfully, most wireless routers come with management apps and controls that can help protect your information. To prevent at-home Wi-Fi attacks, make sure your network is password protected, and turn on notifications so you are alerted when there is unusual activity on your network.

NEXT: Passwords


Everything needs a password—your work computer, phone, email accounts, internal software accounts, and so on.

In addition to the increasing number of password-protected accounts, each has varying rules for complexity and authentication.

Most people tend to use the same password for multiple accounts, increasing their exposure to risk. New standards strongly recommend the use of a long, easily remembered passphrase as opposed to an overly complex password with numbers, special characters, and letters.

Another solution to “remember” all of your different passwords is to use a password manager, which stores your passwords on your computer behind a single login—the only one you’d need to remember going forward.

There are many password managers out there, so it should be easy to find one that meets your needs. Just make sure the solution you choose securely stores your passwords with up-to-date encryption methods and protocols.

The art of human deception

In a perfect world, all people would be kind, genuine, and true to each other. The sad truth is that people will use your innocence, kindness, and good heartedness against you.

That brings us to social engineering: human manipulation to extract sensitive information from a person or organization.

Human manipulation can be used anywhere, at any time, by anyone, especially bad actors. As long as the attacker is manipulating someone to get information or goods for their benefit, it is considered social engineering.

A common and successful tactic to look out for is mail delivery workers carrying too many boxes. These bad actors pose as trusted agents to prey on human kindness to bypass verification policies to let them into your building.

Although it may seem rude at the moment, never let a person into your building or office without proper verification procedures. Instead, ask them to set the boxes down outside until you can verify their identity before letting them into the building.

Other well-known social engineering tactics include the pest inspector, elevator maintenance crew, or even cookie salesmen. Always verify outside persons with management or executive staff, and check for credentials to ensure they are who they say they are.

Most inspections and maintenance visits are scheduled, so unplanned visits should be treated as suspicious until proven otherwise. In addition to verification, fill out visitor logs and adhere to your organization’s escort policies so they are never left unattended.

Not so fast

If nothing else, slow down. Our world today is fast, and many have become complacent.

If you take a moment to slow down and read the text, hover over the malicious link, note the fraudulent sender, be aware of your surroundings, question the delivery person, and think about your actions before doing them, you can help reduce the chances of security incidents and breaches.

KATIE LANDRIEU is an information security analyst with TraceSecurity, a CUNA Strategic Services alliance provider.


Cyber Liability and Intelligence, a member benefit recorded webinar

5 keys to an effective risk management program