Bryan Schwam, CISO, ISC, shares several cybersecurity measures your agency and its employees should be taking to help minimize the potential for data breaches and other cyberattacks whether your staff boots up at the office, home, or a public place.
Working at the Office
It’s important for employees to be mindful that the work they perform includes access to confidential client information and protected personal data. Work activity(ies) should be performed in a manner that shows the resource treats the data and information as such. To protect the integrity of the work and to reinforce the importance of cybersecurity, we recommend sharing the following measures with your staff:
- Lock your computer screen when you’re not at your desk. You can do this by clicking the “Windows” and “L” keys. No one else should be able to view your screen while you are not there.
- Maintain a clean desk area throughout the day, and when you are ready to leave, lock any physical documents in a cabinet.
- Shred any confidential printed information you no longer need. If you have an electronic record of the document, there is no reason to keep a duplicate printed copy that someone can easily get their hands on.
- Be password-smart:
- Don’t write down your passwords (on sticky notes, for examples) or use visuals as a hint to help you remember a password. Bryan shares a story of an individual who had photos of his favorite quarterbacks from various teams on his computer screen. The individual’s pin code was comprised of the numbers on each quarterback’s jersey. It didn’t take long for someone to figure this out and access his desktop.
- Use longer passwords as they are harder for scammers to decode. Make sure your password is at least 12 characters long. A longer password will also enable you to keep it for a longer period of time (typically firms will require employees to change their passwords every six months or on an annual basis).
- If you have multiple passwords, store them in a password manager or a secure vault app such as LastPass or Password Vault. All you need to remember is the password for the app.
- Don’t let anyone else, including colleagues, work on your computer at any time, including during training. Your work is associated with your account and all activity that takes place on the computer is tied to you. If you are learning how to use a specific program, make sure you are controlling the mouse. If you need further assistance, in a large insurance brokerage or agency, typically there is a help desk you can call. In smaller agencies, an internal IT person is available who can provide you with answers.
- Click on the logout/sign-out key to close out all of your work accounts to ensure people can’t get ahold of the information on your computer.
- Don’t leave any work documents or notes in your printer, fax machine, copy machines, on your desk, or in the conference room.
- Be sure you wear your badge (if you have one) at all times and don’t let anyone else use your badge. Treat the badge as if it’s a key to the office.
- Join the corporate virtual private network (VPN) at least once a week if you are not always in the office in order to keep up to date with security fixes and patches. Breaches on mobile devices (phones, tablets) typically occur when patches are not current.
Working in Public Places
Starbucks, Peet’s, and other coffee joints have become popular spots for people to set up shop. While the drinks are great and the ambience is a welcome change to an office environment, public places are hot zones for cyberattacks. Bryan offers these tips when working in a public environment:
- Keep your screen out of view. You can do this by sitting in a spot with a wall behind you. This will prevent “shoulder surfing” – people looking over your shoulder to figure out your password and see what you’re working on. It will also prevent people seeing what you’re typing on the keyboard. If there is no wall behind you, you can use an inexpensive screen cover designed to distort the screen from a distance to prevent shoulder surfing.
- Never leave your laptop or mobile devices unattended. This may seem obvious but often people will leave their things at the table to order a drink or go to the restroom. Take your device with you no matter how inconvenient it may be.
- Don’t bring printed documents to public places. If you are in a position that involves getting signatures from clients, use DocuSign to mitigate the risk of confidential documents ending up in the wrong hands.
- Work on a secured VPN at all times. With free public Wi-Fi, you don’t know how the establishment’s machines are monitored or tracked.
- Don’t automatically connect to any free Wi-Fi to connect to the VPN. You may not be logging into the establishment’s network, as often there are a number of similarly named networks that have nothing to do with the establishment. Be sure you use the right public Wi-Fi to connect to the VPN.
- Always use different passwords for work and personal sites. This will enable you to work in a smart cyber-secured manner.
When using public transportation or working in a public place, use a nondescript bag to carry your laptop. You don’t want to be a target for thieves who are eyeing a Louis Vuitton or Prada bag. Backpacks are better than bags with shoulder straps. Since backpacks go over both shoulders, they are harder to remove. Also, as difficult as it may be, when using public transportation, put your phone away to prevent theft.
Lastly, be aware of your company policies. Some companies do not permit employees to work from public places. In addition, accessing personal websites and email accounts as well as surfing the Internet from your desktop or company laptop are typically prohibited no matter where you are as these activities create potential cyber risks.