NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
Communication technologies make it easier for anybody to access professional information or to connect to a work computer system from anywhere, using any device, including personal ones. The differentiation between professional and personal life in this context becomes more difficult to make, impacting the way to adequately protect professional data. It is thus important to adopt best practices on how to separate professional and personal usage.
Organisations should invest in devices specifically dedicated and only used for professional purposes to distribute to their collaborators. This will make sure a clear separation exists between professional and personal usage. In addition, the organisations can ensure that security risks are controlled by the IT Responsible and that all security requirements are put in place (e.g., managing all administrative rights to limit what a user can do the device, forcing the installation of required security updates when needed, etc.).
With the many different accounts used on a daily basis, professionally and personally, it is important to set up different passwords for each one of them. If one account than gets hacked, cybercriminals won’t be able to use the same password to access all the others. In addition, if the compromised password is associated with a professional account, it also puts the organisation itself in danger as it opens the doors to steal data from and cause damage to its environment.
Passwords should be strong enough passwords combining uppercase, lowercase, numbers and symbols and Multi-Factor Authentication (MFA) should be implemented wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
It is better to have separate communication accounts for professional and personal exchanges. This way, the risk of accidently leaking confidential corporate data to family and friends can be minimised. In the same way, a personal matter is less likely to be diffused within the work environment. In addition, personal communication services are less secured than professional ones. It is thus easier for cybercriminals to hack a personal account and if the two are mixed-up, they can more easily access confidential corporate data.
Personal backup services usually have less security controls in place as people tend to mainly rely on the ones built-in by the provider. Organisations put more effort in securing their
backup services, due to the confidentiality of their data. Saving corporate data on personal backup accounts can be against many organisations’ acceptable use policy due to the confidentiality it holds. In addition, if your personal backup account gets hacked, you are putting the organisation at risk by making its information available.
Only trusted removable media that is approved by the IT Responsible should be plugged in professional devices. In addition, separate removable media should be used for professional and personal devices. This way, if one gets compromised, the other still stays safe.
Organisations should implement a dedicated network, requiring credentials to connect to and separated from the internal corporate network. This dedicated network allows not only guests to connect to Internet when visiting the organisation, but also collaborators to carry out their limited private operations on personal devices when the organisation allows it. 7. Avoid using unknown and public Wi-Fi
Public Wi-Fi is a handy solution as people can access professional resources, shop online, browse websites, or manage their social media almost everywhere. However, as its name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, public Wi-Fi can be used to monitor the activities of people connected to it and steal their information by intercepting the data being transmitted. Public Wi-Fi should only be used when strictly needed and no other option is available. In addition, a Virtual Private Network (VPN) should be used when connecting to public Wi-Fi. A VPN is a solution that helps encrypt and hide internet traffic to whomever might be trying to intercept the data that is being transmitted.
Usually, organisations allow their collaborators to use the corporate network for limited private purposes. No matter the security controls an organisation has in place, it is always possible to download a virus on or open the access to the corporate network inadvertently. In addition, organisations are allowed to monitor what is being accessed and done on the web when collaborators are using the corporate network. Therefore, private matters that are better kept away from work environment shouldn’t be accessed when using that network. Finally, organisations can hold you accountable for any illegal downloads or publications of hateful content you might engage in when using the corporate network.
Social media offer an important reach, and it is not possible to always fully control the audience that has access to the information and the posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes. In addition, work-related posts should be written carefully as they could harm the organisation, even when shared by a collaborator and not the organisation’s account itself.
Besides that, all information shared online by others should be read and re-shared carefully. Anyone can post whatever they want online, there is no control in place to verify the veracity of the message shared. Cybercriminals use this to share messages (e.g., fake news, promotions) that can have serious consequences. By sharing those yourself, you could be diffusing harmful messages to your network.
It is important to download an application only from the official vendor to avoid installing a virus instead. Many cybercriminals try to offer free versions of an application to convince you to download it when in reality, they will use it to access your devices and steal confidential information. A good way to check if a website is legit, is to check the number of downloads and the opinions of other users before installing a new application.
Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.
There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices, personal and professional, with an antivirus software upfront.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.