5 Bad Cybersecurity Habits Your Employees Should Drop

Whether your business is small, large or somewhere in-between, cybersecurity should always be at the top of your mind. If you have protective measures in place, you’re going a long way in keeping your company’s data safe and setting it up for the digital future.

But what about your employees? Here, the experts at ESET share the 5 bad cybersecurity habits your team might have that are putting your company at risk — and how you can overcome them.

#1 Not securing their internet connection

With the rise in remote work, many employees are taking full advantage of the flexibility and working from home, co-working spaces, cafes, libraries and other places aside from the office. They’re also making the most of their time waiting around at the airport or doctor’s offices to hop on the WiFi and get some work done.

As a business owner, it’s inevitable that your staff members are going to move around to some extent during the day. To protect your company’s privacy and any data that is accessed by your team online, ask your employees to connect to a Virtual Private Network (VPN) when they log in to work.

VPNs secure WiFi networks, encrypt data and hide IP addresses so you can stay anonymous online. They go a long way in strengthening your business’ cybersecurity, especially when employees are browsing the intranet and other internal systems. VPNs can be used on desktops, laptops and smartphones, which means your employees can secure their internet connection even when they’re checking emails on the go.

Top tip: While you’re at it, ask your team to turn on their router’s firewall when WFH. This will filter traffic trying to enter and exit their network to prevent hackers from gaining access.

#2 Using personal devices for work

Chances are, you’ve taken steps to protect the devices you provide employees. Maybe you’ve invested in an anti-malware for business software that helps to prevent ransomware, malware and identity theft, all cyberattacks that can be devastating for a business. Maybe you’ve had your IT department set up spam filters for email accounts, and block certain types of content or sites. Or maybe you have a remote management feature in place which means you can monitor your business cybersecurity from afar.

For these reasons, work computers, laptops and smartphones should only be used for work reasons. And on the flip side, your employees shouldn’t be using personal devices for work. They may not have strong protections in place, which leaves your company vulnerable to cybercriminals.

Still building up your business and can’t offer each employee a dedicated device just yet? That’s understandable. To boost security, ask your staff to use different browsers for work and personal searches, and avoid storing their personal passwords, if possible.

#3 Visiting non-secure websites

All sites fall into one of two categories: secure or non-secure. The quickest way to figure out whether a site is secure is by looking at the URL.

URLs starting with “https” are safe and secure, and you’ll see a little lock icon in the toolbar confirming this. Hypertext Transfer Protocol Secure (HTTPs) sites are encrypted, and protect the information submitted by the site’s users with Secure Socket Layer (SSL) technology. In plain English, secure sites

make sure that any data passed between the site’s visitors and servers is kept private. When you think of the kind of information you might give to a site — like credit card details or passwords — this type of security is key.

On the other hand, if a URL starts with “http,” that means it’s not secure. Hypertext Transfer Protocol (HTTP) is an older technology that allows servers and browsers to speak to each other. But that communication isn’t encrypted, making it easier for cybercriminals to hack into those sites and access sensitive information. In short, if your employees are browsing non-secure websites, there’s no guarantee their information will remain safe and private — which is a big problem if they’re using company devices.

#4 Taking the bait with phishing attempts

Phishing scams are incredibly common, with hackers trying to trick people into clicking on malicious emails and social media messages. If one of your employees falls victim to phishing, they could end up downloading a virus onto a company device, losing data or dealing with another side-effect that could be bad news for your business.

The issue with phishing scams is that they tend to look authentic. Cybercriminals often send messages posing as healthcare facilities, banks or other legitimate companies. The emails are usually on familiar templates, with familiar logos, names and content.

But there are a few red flags to look for, which is why it’s worth training your employees on how to protect your business from hackers. They should treat an email or message as suspicious if it has typos and odd turns of phrase, or is trying to get you to take action ASAP. The same goes for email addresses with lots of numbers or symbols, or emails that include unsolicited links or attachments.

If your employees do get an email from an unknown sender, they shouldn’t open it. Instead, instruct them to mark it as spam and send it to your IT professional, if you have one.

#5 Ignoring password hygiene

Passwords aren’t meant to be reused or recycled. Many people use the same (or similar) password across multiple accounts. While this makes it easier to track your passwords, it also means that if a hacker guesses it, they can tap into more personal, sensitive or financial information than you bargained for.

As part of your cybersecurity training for employees, teach your team to create a complex, unique password for every one of their accounts. Each password should contain a mix of uppercase and lowercase letters, numbers and symbols, and be made up of 12 characters or more. Plus, they should switch up their passwords regularly — every three months is a good guide.

You might consider investing in a password manager as well. These operate like password vaults and can store and encrypt your employees’ passwords so they don’t need to memorise them. They also notify you if your accounts have been compromised, so you can quickly change the password.

Passwords aside, setting up multi-factor authentication (MFA) is a great idea. With MFA in place, your employees will need to enter their username, password and one more piece of information — like a code sent to their phone — before they can log into company accounts.

Rely on a premium software to prevent cyberattacks

Even with all the cybersecurity training in the world, people make mistakes — so it’s worth investing in business malware protection to give you peace of mind.

ESET Protect Complete defends a range of cyber attacks, safeguards WiFI networks and webcams, and scans attachments and images for viruses. It also protects your cloud email, collaboration and storage systems (like Google Drive), and offers endpoint protection, which is crucial when employees are working remotely using company devices. The software has a remote management feature, so you can take charge of your business’ work from home security, no matter where your staff are located.

Adam Hansen