It’s National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cybersecurity in the workplace is everyone’s business.
I’m a Service Engineer working in IT at Sophos and Naked Security asked me to share my thoughts on the mistakes that the IT people in your workplace secretly wish you wouldn’t make.
Your IT guys and girls will thank you for reading it!
1. Lock your computer
Plenty of people lock their computers when they walk away from their desks, but enough people don’t bother that this one is top of my list.
Remember to lock your computer!
Your screen isn’t meant for anyone else’s eyes so if you’re not looking at it, nobody else should be looking at it either. Nobody else should be using your login either, no matter if it’s a colleague sending a joke email in your name when you go for a coffee or a rogue employee rifling through your stuff for confidential information.
To lock your Windows computer use
CTRL+ALT+DEL and select
Lock, or press
⊞+L. (That square character is the key with the Windows logo on it.)
On a Mac press
CTRL+⌘+Q (the four-leafed clover key is also labelled “command” ), or press the power button briefly.
2. Loose lips sink ships
The expression “loose lips sink ships” is a phrase used in World War 2 to warn of the dangers of unguarded talk. It works in cyber security too.
It’s easy to leak information by accidentally sending things to the wrong people, saying the wrong thing in the wrong place, mislaying printed documents or leaving meeting rooms without erasing whiteboards.
So, re-read what you’re about to send in emails, instant messages or texts, and make sure that what you’re about to send will go to your intended recipients.
Review files before attaching them – it’s easy to leak sensitive information if it’s in a small section of a much bigger spreadsheet or document.
When you’re talking, be aware of where you’re standing and who is around you. Ask yourself if it’s appropriate to share what you’re saying about sales figures, targets, staffing or whatever else you’re talking about with the people in earshot.
And erase the whiteboard before you leave a meeting room. It’s not just a courtesy for the next users of the room, but a routine precaution that ensures nothing confidential will find its way onto the mobile phone of a camera-happy passer-by.
3. Save regularly
I’m aware of how easy it is to get sucked into whatever it is you’re doing but we can’t protect things that you haven’t saved. Saving things regularly, to the appropriate place – such as network drives – ensures that the data you have is secure in the event that your laptop is stolen.
We’ll make sure your work laptop is encrypted so that your data won’t end up in the wrong hands if your laptop is lost or stolen, but we can’t recover your data if you haven’t saved it somewhere safe and secure where we can keep an eye on it for you.
4. Separate personal and professional
If you use your home email, personal WhatsApp account – or anything else outside the reach of your IT’s policies – for work then we can’t protect you and you’ll be answerable for the consequences.
If you use your work computer, email or phone for personal stuff, for eBay, PayPal, adult websites (it happens), pictures of your kids and pets, or anything else, it won’t be there if you leave the company. As an IT professional the first thing I’ll do after revoking your access is to wipe your stuff, poof, gone!
And, whilst I can assure you that almost all of us in IT are lovely and would never take advantage of the information you’ve left behind there will always be some bad apples. The principle of least privilege applies – we don’t need access to your personal stuff so we shouldn’t have it.
5. Tell us what happened (seriously, tell us everything)
Finally, if you have to report something to your IT department please, please don’t cut down or amend your story. We want to know everything. Something small and insignificant can drastically change the troubleshooting steps we need to go through and even a small detail missed can reduce our efficiency and effectiveness.
We want to know literally everything you can remember before and after an event to build a better picture of what happened. (We will find it eventually and be annoyed you didn’t share!)
We’re on your side, and we’d love to have you on ours – we’re all in this together.