PERTH: Business etiquette has one golden rule: treat others with respect and care.
The same goes for encouraging cybersecurity in the workplace, on everything from the security of passwords to the protection of valuable information such as tax file numbers.
But how can you encourage cyber behavior at work without getting cranky in the office?
The trick, as is often the case in life, is to encourage good behavior with tact and by offering helpful solutions. It is unlikely that you will slander or make fun of those who “do the wrong thing”.
In short, offer alternatives and do not blame.
READ: Commentary: Why Employers Should Cover WFH Expenses
READ: Commentary: Hybrid work can change employee contract terms
Many organizations have policies to prevent password sharing (and most, by now, would actively discourage people from keeping passwords on a Post-it note stuck to a computer). However, asking others for a password is not necessarily considered taboo yet.
Maybe your colleague wants to use your computer and asks for your username. Or they may need to access a shared repository such as Dropbox but forgot the password.
If you’re hesitant to share your personal password or post a team password in Slack or in a group chat, your gut is correct. Passwords are extremely valuable information, and many catastrophic security breaches can be attributed to poor password management at work.
But if your coworker asks for a password, rather than responding with a short, crisp “no”, sweeten it up by asking them why they want it. If there’s a legitimate reason, work with them to resolve the issue – without revealing anything.
For example, instead of posting a Dropbox password to Slack, can you point it to your organization’s password manager and help them learn how to recover passwords from it? If this is computer access they need, can you help them restart a computer and sign in as a guest rather than you?
Never send usernames and passwords by email.
If systems aren’t in place at work to help people who need access to a shared password or computer terminal, ask your IT team to find long-term solutions. This can include investing in a password manager such as 1Password, Dashlane, or LastPass.
Files can be shared across teams through OneDrive, Dropbox, or any other organizational repository to reduce the need for a coworker to access your computer to “just grab a file”.
READ: Commentary: COVID-19 could finally break bad habits in out-of-office emails
SHARING OF SENSITIVE INFORMATION
It’s not uncommon for well-meaning IT, HR, finance, or administrative staff to ask you to fill out a form with sensitive information and simply “email it back”.
Even doctors and lawyers have been known to mismanage documents with signatures, tax file numbers, or other identifying information such as birthdays.
Don’t feel like you have to. The point is, this information is invaluable to hackers and identity thieves. If your workplace email has a data breach, malicious actors may be able to retrieve those scanned forms from the inboxes they’ve invaded.
READ: Commentary: The year hackers and crooks exploited our COVID-19 fears to cheat us
Most organizations have secure ways to transfer files, ranging from a secure cloud storage solution to secure file sharing sites. Use them, never your personal email or cloud solutions.
If your organization doesn’t have a secure way to save files, you can use one and send the link to your colleague in a work email.
You can also send an encrypted PDF in an email, which means much tighter control over who can access the file.
Sometimes the safest solutions are the simplest. Go old school: present documents to the person instead of scanning and emailing them.
If you are prompted to send personal information in an insecure manner, hide your Pikachu face. Instead, say, “We’re supposed to transfer files this way. If you want, can I show you how for the next time? “
Offering a solution, rather than shaming, is much more likely to lead to change.
READ: Comment: These are mostly sociopaths who want to get back to the office
Job seekers may try to get their foot in the door by leaning on a friend or ex-colleague. Many of us would like to help a friend by forwarding their CV to the boss.
Unfortunately, malicious actors of all kinds know this as well. As discussed in this article, fake CVs can be emailed with a Microsoft Excel attachment.
Once opened, the attached file can launch malware that attempts to hijack private information, user credentials of targeted financial institutions, as well as passwords and cookies stored in web browsers. Attackers can then exploit these acquisitions to effect financial transactions.
Malware isn’t just embedded in links and attachments – even LinkedIn posts can contain malware. The consequences of opening such links or attachments can be extreme and can even include ransomware (where hackers deny access to files or systems online until the victim pays).
READ: Commentary: COVID-19 – At close of business, hackers are working overtime
Do not send a CV, especially if the person is a friend of a friend. Instead, pass the person’s name to the boss so they can search for them on LinkedIn.
Do not follow links sent to you, even from trusted contacts. Links can often be difficult to verify without clicking on them, and you may be redirected to a malicious site.
And if you’re looking for a job, demonstrate your own cybersecurity awareness by not distributing resumes or other documents that contain personal information that could be valuable to identity thieves. No birthdays or addresses – just an email, mobile number and LinkedIn.
The same rule applies to QR codes – don’t blindly open the web page pointed to a business card QR code. You can get more than what you bargained for.
Unfortunately, many workplaces still view cyber behavior as generally acceptable and the pressure to do something dangerous, especially on time, can be deep.
But by acting with respect and helpfulness, you can improve your office’s reputation as a cybersecurity staff member and help reduce risk to your organization.
Hear from cybersecurity experts reveal the tricks crooks and hackers have employed over the past year as more work from home and are susceptible to phishing and other cybersecurity threats at the heart of the issue. CNA.
Nathalie Collins is Academic Director of National Programs at Edith Cowan University. Jeff Volkheimer is Director of Collaboration and Workforce Services at Duke Health. Paul Haskell-Dowland is Associate Dean for Informatics and Security at Edith Cowan University. This comment first appearance on The Conversation.