Security awareness does NOT end at the virtual edge of your business. Your employees’ personal cybersecurity matters too!
Your cyber team might tell you that you should only worry about protecting your assets, and draw a hard line for personal devices. However, many businesses allow remote access via BYOD (bring your own device). So, if your employees are accessing email or IMs (Teams, Slack, etc.) on a personal device, you SHOULD care about protecting them too since that now is an edge for your business’ intranet.
Think about it simply. Your CEO’s son likes to “sail the high seas” and one of his torrents comes with some malware. That malware puts an infostealer spyware on their home router, which moves laterally across the network and gets the CEO’s personal PC. Then, the CEO checks her email on her home PC – she was awaiting an important message on a potential merger. She got the message. So did the hacker running the spyware. And since she was using Outlook, the spyware took the liberty of copying the .pst file that stores the whole inbox. Yes, new outlook is a bit different, but they just need to copy
%localappdata%\Microsoft\Olk\to get the emails and attachments, assuming of course that any screenshots or desktop recordings they also took weren’t enough.
You can’t control every employee’s home network of course, but you can help them protect it.
Encourage your employees to have personal device protection, like an NGAV firewall or proper antivirus
While the default firewalls and antivirus that come with your OS, like Windows Defender and XProtect, they are relatively easy for hackers to shut down. While many ransomware-as-a-service on the darkweb now come with scripts to remove some of the more popular antiviruses and firewalls, the commercial products DO have the opportunity to make them harder to remove, like making the uninstaller password-locked or requiring removal in Safe Mode. Due to regulatory requirements – particularly in the EU – OS vendors MUST make their optional services easy to remove.
Personally, we find ESET to be a good mix of functionality, security, and cost and use it for our own personal AI and gaming devices where performance impact matters. We’ve worked with them and have a great relationship with their team, and can negotiate a good deal for you on both their consumer and enterprise products. Including the gamified cybersecurity training that our own team uses – ESET keeps it up to date with modern threats.
Ask when the last time your employees patched their routers, if it’s not owned by their ISP
Most modern ISP router/modem combos have some technology that allows automatic firmware updates. For example, DOCSIS 3.0 routers can be sent a forced firmware update by the ISP. However, some don’t have that, and it only works if your modem and router are combined. Ask your employees when they last did firmware updates. Even for their motherboards (see https://www.youtube.com/watch?v=Vy_KWP04pfs for an example of why). When was the last time YOU did it?
Have your security/IT team have a workshop or office hours for this
We know how it is. Not everyone is natural with technology. Old or young, there are lots of people intimidated by computer maintenance and just need an expert by their side to give them confidence. You may want to consider providing that to your employees by having an “IT Office Hours” for personal devices. Not only will your employees be able to take advantage of the help, but by being put in the position, IT teams will get both practical experience working on different systems but also motivation to do better at securing the company’s systems. And socializing. It’s a psychology thing called Role Conformity. By being put in the role of teachers, they become better with soft skills in teaching and reinforce their IT and cybersecurity skills.
PATs and password managers – make sure folks are using them right, and have a backup!
Personal access tokens, passkeys, and password managers are the current recommendation for keeping your logins secure. The best services for password management also include darkweb/compromise monitoring to proactively inform you of a breach. After all, ain’t nobody got time for reading all the breach news to find out if it affects you.
One thing we’ve found is that many people don’t have a backup of their passwords or OTP authentication tokens. If you lost your phone that has your 2-factors, what will you do?
Encourage your staff to keep a backup of their phone, or use an app for OTP that syncs to the cloud. Also, on the topic of backups, remind your team (and yourself) to take a backup of important files and documents. You can use our affiliate link to iDrive to get 25% off their plan. We’ve assessed a number of different solutions for personal backup and found iDrive to be the best mix of ease-of-use, security, price, and overall value for the common home consumer.
Teach people about detecting AI-generated content — look for the em dash!
Newer scams are using AI-generated messages to sound more legitimate. And use correct grammar and spelling. When looking for AI-generated emails, a dead giveaway is the em-dash (—). AI language models seem to have an obsession with using dashes like this in their outputs, and most people do not know how to type one normally.
Just because it’s AI doesn’t implicitly make it bad. It should just indicate you should be extra cautious with buttons and links in it – refer to our other article on modern phishing threats for more detail on why, as well as our article on this being a component of more advanced business email compromise fraud.
Partner with HR – include these as an employee benefit and socialize it
This is where knowing your people comes handy. You’ll likely need both HR and legal leadership to weigh in on this to ensure that the company is both willing to dedicate the IT resources to it, and that your country/state laws are compatible with this type of benefit. Some businesses may determine this type of project to be a legal liability they cannot accept, and that’s fair. Others may be able to disclaimer the IT personal cybersecurity office hours in an acceptable way that protects all parties. We’re not lawyers, and have seen it go both ways.
If legal is cool with it, the selling points to HR are pretty simple – especially if your company email is accessible on personal devices.
- Reinforce good cybersecurity practices outside of the office to make it more “common sense” than an active thing to pay attention to
- Give IT personnel more practical experience working on different systems, which will improve efficiency as they have more practiced understanding of their craft. Eventually it becomes muscle memory.
- The repetitive nature of the exercise will encourage automation and scripting, which are natural upskills in the IT professional career paths.
- Occasionally, someone may have a novel personal setup that inspires improvements to the business IT infrastructure.