How to transform your Nonprofit, Tech Startup or Creative Agency team into the ultimate cybersecurity first line of defense

Great cybersecurity starts with a cyber aware team.  

However, this requires employers and business owners to invest in regular, long term cyber awareness training. Unfortunately, it doesn’t happen overnight, and the cyber threat landscape is constantly changing.  

Your employees aren’t as tech savvy or aware as you’d like to believe… 

They’re products of aging bodies and an endless to-do list of family and household responsibilities, just like you and me. There’s only so much time in a day and we only have so much energy to commit to it all. Then, on top of all that, they’re trying to manage multiple complex passwords, various devices, connectivity issues before they can even start the workday.   

It’s no wonder that the shift to remote work for most companies has opened a flood gate of cybercriminal activity. It’s no wonder that a transition marked with such increased business vulnerabilities is met with increased online shark attacks. You might be better off walking barefoot through a desert of cactuses. 

According to Malwarebytes Enduring from Home Report, the most concerning trends are threefold: 

1. More devices are being thrown into the mix from various locations to connect to work essential software tools. 
2. The deployment of antivirus software is not keeping pace with the increase in devices. 
3. Some organizations are wearing rose colored glasses. They think they’re doing a better cybersecurity job than they really are.  

Of the 200 IT and cybersecurity managers, directors and C-suite executives that were surveyed to produce the Malwarebytes Report: 

• 24% had to spend money unexpectedly to resolve a security breach or malware attack following the shelter-in-place orders 
• 20% said they faced a security breach because of a remote worker 
• 28% admitted to using personal devices for work more than their company devices 
• 18% acknowledged that cybersecurity was not a priority for employees. 
• 5% admitted that employees were a security risk and entirely unaware of best security best practices 

With so many cybersecurity threats circling around them and their team, what is a company to do?  

Here are things that you can start putting into place immediately on your own:    

• Schedule comprehensive quarterly live security awareness trainings, peppered with more frequent threats updates, with your staff. The more they know. They more they can help keep your business secure.   
• NEVER EVER share your credentials and avoid using the same passwords for personal and work. Tattoo this on your arm if you must but certainly make sure your team knows this is a big no-no. Also, if your organization works with interns or volunteers, create new credentials for them to use so you can track and monitor their logins in case of a breach. 
• Be sure to document your financial procedures and share them with your staff, vendors, and 3rd parties. This enables them to recognize, avoid and report any phishing email scams quickly. 
• Document and share your processes for staff onboarding and off-boarding with relevant team members. That way you can track who has access to what and when as well as cut off all access for those no longer with the company.   
• If you’re based in New York or serve NY-based residents, familiarize yourself with the NY Shield Act. Though the Act is broad in nature and does not mandate any specific safeguards, it does recommend the ones you should be adopted in this article in The National Law Review. Be aware that you could still be held accountable during a data breach. 

Here are things that you will need to find an IT and cybersecurity partner to assist you with:   

• Create a Written Information Security Policy (WISP) in which you spell out the administrative, technical and physical safeguards by which your company protects the regulated, restricted and confidential data of your employees and customers. This not only protects your people and clients, but it also helps protect your company legally. PLEASE be sure to have a lawyer sign off on this policy to ensure your legal protection. 
• Train your team in how to recognize, avoid and report phishing email schemes by having your IT partner implement phishing simulations to “test” them. Basically, your team will receive “phishing” emails to see how often they get opened and clicked and by whom.  
• Implement “link scanning.” These are additional services such as Microsoft Defender for Identity, Cyberfish, etc., that pass all links that arrive via email through a 3rd party scanner. This determines whether they are “valid” or malicious “fakes” designed to gain illegal access to your data. 
• Execute dark web monitoring. This scans the dark web to see if work emails, passwords and other data are being circulated there. If so, you’re notified so you can change the information asap to help prevent breaches.  
• Develop an Incident (Breach) Response Plan with your IT partner. This plan is critical in the advent of a data breach. Though it is best to do everything in your power to prevent a breach, sometimes they still happen. Your next best step is making sure you are properly prepared so you can contain and control the damage as much as possible.  

Looking for more information on cybersecurity?  

Sign up for the replay of our Protect Your People, Data and Devices: Cybersecurity Roadmap for 2021 webinar or reach out to schedule a free risk score assessment or consult with us via the form here.