How to encourage cyber-safe behaviour at work without becoming the office grouchNathalie Collins, Edith Cowan University; Jeff Volkheimer, Duke University, and Paul Haskell-Dowland, Edith Cowan University
Business etiquette has one golden rule: treat others with respect and care. The same is true for encouraging cyber safety at work, on everything from password security to keeping valuable information like tax file numbers safe.
But how can you encourage cyber-safe behaviour at work without becoming the office grouch?
The trick, as it often is in life, is to encourage the right behaviours tactfully and by offering helpful solutions. Vilifying or mocking those who “do the wrong thing” is unlikely to help.
In short, offer alternatives and not reproach.
Hey, what’s your password?
Many organisations have policies to prevent password sharing (and most, by now, would hopefully actively discourage people from keeping passwords on a Post-it note stuck to a computer). However, asking others for a password is not yet necessarily considered taboo.
Perhaps your colleague wants to use your computer and asks for your login. Or they may need access to a shared repository such as Dropbox but have forgotten the password.
If you’re reluctant to share your personal password, or broadcast a team password in Slack or on a group chat, your instincts are correct. Passwords are deeply valuable pieces of information, and many catastrophic security breaches can be traced back to poor password management at work.
But if your colleague asks for a password, rather than responding with a short, sharp “no”, soften the blow by asking why they want it. If there is a legitimate reason, work with them to resolve the issue — without giving anything away.
For example, instead of posting a Dropbox password on Slack, can you direct them to your organisation’s password manager and help them learn how to retrieve passwords from it? If it’s access to a computer they need, can you help them restart a computer and log in as a guest instead of as you?
Never send usernames and passwords by email.
If systems are not in place at work to help people who need access to a shared password or a computer terminal, talk to your IT team about finding long-term solutions. That might include investing in a password manager such as 1Password, Dashlane or LastPass.
Files can be shared within teams through OneDrive, Dropbox or other organisational repository to reduce the need for a colleague to access your computer to “just get a file off it”.
‘Please fill in this confidential form and email it to me’
It’s not uncommon for IT, HR, finance or well-meaning admin support staff to ask you to fill in a form with sensitive information and just “email it back”.
Even doctors and lawyers have been known to mishandle documents with signatures, tax file numbers or other identifying information such as birthdays.
Don’t feel under pressure to do it. The fact is, such information is invaluable to hackers and identity thieves. Should your workplace email suffer a data breach, bad actors may be able to retrieve these scanned forms from inboxes they’ve invaded.
Most organisations have secure ways of transferring files, varying from a secure cloud storage solution to secure file sharing sites. Use them, and never your personal email or cloud solutions.
If your organisation doesn’t have a secure way to save the files you can use one and send your colleague the link in a work email.
Alternatively, you can send an encrypted PDF in an email, which means much tighter control of who can access the file.
Sometimes the safest solutions are the simplest. Go old-school: walk the documents over to the person instead of scanning and emailing them.
If you’re asked to send personal information in an insecure way, hide your Pikachu face. Instead, say: “We’re supposed to be transferring files this way. If you want, I can show you how for next time?”
Offering a solution, rather than shaming, is much more likely to lead to change.
Can you pass on my resume?
Job-hunters may try to get their foot in the door by leveraging a friend or ex-colleague. Many of us would be keen to help a friend by passing on their CV to the boss.
Unfortunately, malicious actors of all kinds also know this. As outlined in this article, fake CVs can be sent by email with a Microsoft Excel attachment. When opened, the attached file can launch malware that:
…then attempts to hijack private information, credentials from users of targeted financial institutions, and passwords and cookies stored in web browsers. Attackers can then exploit these acquisitions to make financial transactions.
Malware is not just embedded in links and attachments - even LinkedIn messages can contain malware. The consequences of opening such links or attachments can be extreme, and may even include ransomware (where hackers refuse access to files or online systems until the victim pays up).
Don’t pass on CVs, especially if the person is a friend of a friend. Instead, pass on the person’s name to the boss, so she or he can look them up on LinkedIn. Don’t follow links sent to you, even by trusted contacts. Links can often be difficult to check without clicking on them and you may be redirected to a malicious site.
And if you are the jobseeker, demonstrate your own cyber-security awareness by not circulating CVs or other documents with personal information that may be valuable to identity thieves. No birthdays, addresses, just email, mobile number and LinkedIn.
The same rule applies to QR codes - don’t blindly open the webpage pointed to on a business card QR code. You may get more than you bargained for.
Resist the urge to do something unsafe when on deadline
Unfortunately, many workplaces still see cyber-unsafe behaviour as broadly acceptable and the pressure to do something unsafe, especially when on deadline, can be profound.
But by treading respectfully, and helpfully, you can improve your office reputation as a cybersafe staff member and help reduce the risk to your organisation.
Nathalie Collins, Academic Director (National Programs), Edith Cowan University; Jeff Volkheimer, Director, Collaborative Services, Duke Health, Duke University, and Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University