Home / HR Courses / Cybersecurity 101 for HR Pros / Data Loss Prevention / Best Practices

Best Practices

This video is premium content

Lesson:

Best Practices

Course: Cybersecurity 101 for HR Pros
Module: Data Loss Prevention
Lesson Type: Video
Lesson Duration: 5:49

Lesson Content

Preventing a data loss scenario begins with the obvious, yet frequently overlooked, statement that you shouldn’t engage in high risk behaviors on any device you wish to keep safe. In the case of the Black Friday attack I mentioned previously, the San Francisco Examiner exchanged emails with the contact address left by the attacker who alleged that the victim was random, not targeted. The attacker went on to claim that the user of an admin-level computer at the SFMTA downloaded an infected torrent file for a software key generator.

And the only reason you need a software key generator is if you are trying to make pirated software work. So it shouldn’t be surprising that someone who is using the dark corners of the web to engage in illegal activity like pirating software would fall victim to malware. As I have said throughout the course, security is a spectrum and the more aspects you take seriously and implement, the safer you will be. The same holds true for behaviors. The more careful and considerate you are to the consequences your actions online have, the better off you will be.

The tips that follow are a series of best practices which you should certainly take advantage of in your personal life. Professionally, they may be difficult to implement if your organization already manages your workplace devices. Even if they do, it is important to understand why some of those procedures are in place.

Number 1 is to keep updated. I have said it already, and will say again that out of date software and operating systems are a huge security risk. Any piece of software can have flaws or weaknesses but generally the most recent version will be the safest version.

Number 2 is another call-back to the global concepts section with a reminder to compartmentalize your activity. In the case of a breach, you want the attacker to get as little as possible. The less data stored on a device, or accessible through an account, the less you have to lose if it is compromised. For example, if you are traveling for a personal vacation, which work files do you really want to take with you on your laptop or tablet? In whatever you are doing, try to keep a risk assessment in the back of your mind to what your level of exposure you might have if your device were lost, stolen, or illicitly accessed.

Number 3 is to backup everything you do. It is something that people recognize as being important, but most don’t really have a plan in place that they trust will cover them. There are a lot of backup solutions to make things easy and automatic in many cases. On your personal devices you generally have 2 options: hard drives vs. cloud services. If you are going to backup your computer onto storage drives, make sure to keep those drives separate from the source device. One of the most common mistakes I see is people who store the device and the backup in the same place, such as putting the backup drive in a desk drawer above the PC. In the case of a fire, break-in, or other disaster you need to be sure that the backup can’t be compromised along with the source material. A safety deposit box, fire-proof home safe, or other protections like that are worthwhile. You may not know how to quantify it, but your data has a dollar value to you and to an attacker, and it deserves the same level of protection you would give to your financial well being.

Number 4 is that it is time to trust the Cloud. The idea of storing data on a server you can’t see, managed by a 3rd party company makes everyone uneasy. But the fact of the matter is that these modern tech giants are doing security far beyond what you and your organization could do for yourselves. Most companies are, or should be, in the process of reducing the footprint of their in-house data storage in favor of cloud-based solutions. I mentioned previously that cloud-backups are an option, and it is the one that works the best for most people. By this time, most people have restored a smartphone via cloud backup when upgrading to a new model or after breaking their previous one. The same methods can be applied to your PC. Choose a reputable company you can trust, and secure the account, but that backup should be as safe, if not more so, than going through the hassle of using physical storage drives. Going forward, more and more work will be done originally through Cloud services where you never even have any files stored locally on your devices, meaning you never have anything which can be compromised on the device, and nothing to back up.

Until then however, we need to protect our data so number 5 is to run vulnerability scans. Antivirus and anti-malware detection software is critical to making sure that your computer is free from malicious activity. Your organization hopefully has systems in place to do this for you already. On personal devices, I suggest using Windows Defender on Microsoft PCs rather than costly paid antivirus software. Unfortunately, many of the leading antivirus applications make your machine run very poorly while trying to bait you into paying for services you do not need. Regardless of what you choose to use, it is critical that you have systems running passively in the background all the time to monitor and protect. And while passive monitoring is critical, you also need to take advantage of the active features as well. If ever you download files from email attachments or websites, make sure to scan the file before opening. This is especially true for zipped folders or files with unrecognized extensions. In the vast majority of malware cases, the user’s actions, through files they downloaded or websites they visited, led directly to the infection. It is important to be vigilant to keep your system clean.

Number 6 is to turn off macros in Microsoft Office. Macros are a common way of adding programming functions to Office, allowing for powerful automation or other controls over your documents. While many people use them to speed up their workflow, they can be manipulated by attackers to run damaging attacks. A common method involves a trojan disguised as a common Microsoft Office file type, such as a doc or xls file. When the user opens the file in Office, the macros run a hidden script which loads the malware onto your computer. In some cases they install keyloggers to track your keystrokes, or give remote access to your machine to the attacker. This kind of attack is very common as a means of entry into modern businesses with a large office staff. Just send the same phishing email to everyone at a given company and hope that just a few will open it, with macros enabled on their system, and you are in.

Instructor:

Michael Wilson

Michael Wilson works with small businesses to build and protect their brands online. He is an IT Generalist whose primary services include: Web Design & Development, Cybersecurity Consulting & Training,...

Michael's Full Bio

Module 1 0/2

Welcome

HR's Cybersecurity Risks

Introduction to Cybersecurity

Module 2 0/5

Concepts

Defining Security

What are Attackers After?

Attack Vectors

The Human Element

Global Principles

Module 3 0/4

Securing Your Accounts

Introduction

Passwords

Password Managers

Two Factor Authentication

Module 4 0/3

Securing Your Devices

Introduction

Best Practices

Conclusion

Module 5 0/3

Phishing

Introduction

Best Practices

Conclusion

Module 6 0/4

Data Loss Prevention

Module 7 0/3

Real World Lessons

Political Phishing

W2s

Yahoo Security Questions

Module 8 0/2

Conclusion

Closing Remarks

Quiz

HR Courses

Human Resources Training Programs

Self-paced HR Courses

The following HR courses are self-paced (asynchronous), and qualify for both SHRM and HRCI recertification credits. These courses are included in the HR Recertification Subscription.

Effective Disciplinary Action Policies and Procedures