HR plays an important role in any company, managing the employee lifecycle and ensuring the wellbeing and fair treatment of the workforce. Due to the nature of their work, HR professionals are used to communicating with many different people both inside and outside of the company, meaning it is even more important to ensure there is good cybersecurity measures in place. These individuals could be targeted by a phishing attempt, and perhaps could be seen as more likely to fall victim, due to the fact it is normal practice to communicate with such a variety of people in the job. Whilst some cybersecurity risks can be managed with IT infrastructure such as antivirus technologies and good email security, having a clear policy on good cyber hygiene behaviours helps to protect everybody, including those in HR, from unintentionally increasing the risks of being the victim of a cybercrime.
Is Security Awareness Training a good idea?
Firstly, investing in Security Awareness Training (SAT) for all staff within an organisation means that everybody has a better understanding of their online risk, and the things they can do to help themselves. It explains key risks such as phishing and ransomware, as well as how to spot them, prompting you to consider the processes you do or do not have in place for if a potential incident was to occur. Additionally, explaining the threat landscape helps to reinforce to staff why certain policies and rules are in place, making them more likely to be followed.
Security Awareness Training (SAT) is offered by the ECRC as an affordable way to start an open dialogue amongst your staff about all things cyber-crime. This is delivered by students working as part of CyberPATH programme. Through CyberPATH, students are trained and monitored by senior ethical hackers to provide a selection of cyber services to businesses, which supports the future cyber talent pipeline and keeps the cost to a minimum.
Do Strong Passwords Make a Difference?
As well as thorough training, it is important to understand the basic online behaviours that should be in place to help protect any individual or organisation. One of these is the use of strong passwords and MFA. People use passwords all the time for lots of online accounts. However, for the sake of convenience many people use simple passwords and often reuse the same one for multiple purposes. The issue with this is that if one account is compromised, it puts any other account with the same password in jeopardy of also being compromised. A forgotten account from many years ago may appear in a data breach, but if this same password is still used for more important things, such as an email account, this could get breached too. This is why it is important that different passwords are used for each account you have.
In terms of password strength, they should be long, complex, and not containing any personal information that could be guessed, such as family names or football teams. The National Cyber Security Centre (NCSC) recommends using a method called ‘Three Random Words’ to generate a strong password. As the name suggests, this involves creating a random sentence (e.g. ‘The spider danced into the ocean’) and extracting three words from it before amalgamating them into a password (e.g. ‘spidertrippedocean’). Special characters or numbers can be added to increase complexity if necessary.
Another valuable tool for generating and remembering passwords is to invest in a password manager. This is a secure online space that can store your passwords and input them for you when required. Using a password manager allows you to use different strong passwords for all your accounts, whilst only having to remember one yourself. However, the disadvantage of this is that you cannot forget the password to the password manager, and if it were to be breached then all your passwords are in one place. Password managers are increasingly being integrated into smartphones and are a fantastic resource to help you generate and use strong passwords on your accounts.
Another good cyber behaviour is the use of multi-factor authentication (MFA), sometimes referred to as 2-step verification (2SV). MFA adds an additional layer of security onto your online accounts, requiring another form of verification as well as your password for you to access your account. This additional factor can take many forms, such as a fingerprint, passcode, verification via text, or a security question. The advantage of MFA is that your account cannot be accessed without this additional factor. This means that if your password is compromised there is still another layer of defence in place. Additionally, the extra factor often requires something unique to the individual, such as their specific mobile device, making it much more difficult for criminals to infiltrate.
Ultimately, using strong passwords and MFA makes a significant impact to the security of your online accounts. Having a good password policy is a free way of bolstering your online security and ensuring that weak passwords are not providing an easy way in for online criminals to harm your business.
What else can the ECRC do?
Signing up as a free member of the ECRC ensures you are supported in making impactive choices to improve your cyber resilience. Our free membership signs you up to receive regular newsletters via email as well as up-to-date cyber guidance around several different topics. These emails deliver informative and proactive steps directly to your inbox, designed to be succinct and accessible to a non-technical audience. The ECRC also signpost towards other free resources provided by the National Cyber Security Centre, such as Exercise in a Box and the Cyber Action Plan, to help you improve your cyber resilience for free.
Additionally, the ECRC offers several affordable cyber services, delivered through CyberPATH, to assist organisations with assessing their current cyber security at a fractional cost to the business. Security Awareness Training is one of these services, but there are also several vulnerability assessments on offer as well.
If you would like free guidance on improving your cyber resilience, then sign up as a member today.
If you have any questions or would like to learn more about cyber resilience and what the ECRC can do for you, you can book a chat with us here.
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which is not ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)
