As you roll out LastPass, it’s important to feel confident in helping employees with their new password manager. You might be the sole IT person wearing lots of hats. Or you might be part of a large helpdesk team. Either way, employees will undoubtedly come to you with questions and concerns.
In our recent LastPass Enterprise Master Class, we talked through some of the most common LastPass questions heard by our customers’ helpdesk teams. We shared our tips for reducing calls related to LastPass. We also discussed best practices for increasing employee satisfaction with the service.
One of the most common questions helpdesk staff hear is: “How can I reset my LastPass master password?!” Here’s how we recommend handling that question. With the right planning, you might even avoid it to begin with!
Turn on the “Super Admin Master Password Reset Policy”.
Before you start onboarding employees, be sure to activate the policy that will allow you (and other admins, if designated) to administratively reset master passwords. The policy can be turned on in the admin dashboard. By turning it on before onboarding, you’ll ensure the recovery keys are securely enabled for your account for every employee. You can still turn it on after the fact, but if a user hasn’t logged in after the policy was enabled, your admin account will not yet have permission to use the recovery keys. That’s why we recommend doing this from the start! It’s just one of the many policies we recommend familiarizing yourself with for a better LastPass experience.
Train employees when you first deploy LastPass.
Training certainly takes time and resources from the IT team, but the pay-off is worth it. When you’re rolling out LastPass to employees, host lunch and learns or virtual trainings where employees can learn what LastPass is, the basics of how it works, and what your expectations are when they’re using it. It’s an ideal way for users to ask questions up front.This is also the perfect time to teach them about creating a strong master password, preferably as a “passphrase” that is secure but easy for them to remember.
Ensure all employees are using the browser extension.
The best way to use LastPass is by installing and logging in through the browser extension. Not only does the browser extension allow LastPass to browse intelligently with the user, it also securely stores account recovery data so the master password can be reset on the user’s device. If the user never logged in through the browser extension (or the mobile app), account recovery won’t be possible. You will need to delete the user’s account for them to start over.
Activate the “Super Admin Master Password Reset Policy”.
Life happens, and users forget their master passwords. When the employee comes to you asking for help, go to the admin dashboard’s policy section. Follow the steps to activate the Super Admin policy for their account. You’ll be prompted to create a new, temporary password for the user, which you’ll need to communicate to them – LastPass does not send the temporary password by email. Once the user logs in with the temporary password, they’ll be prompted to create a new master password for themselves. Be sure to remind them about using a passphrase as their master password!
As you can see, the Super Admin Master Password Reset Policy is one of the best tools available to LastPass admins. Now you can feel confident about knowing what to do should a user approach you after forgetting their master password.
We all need a little order in our lives, right? Chances are, you’ve probably heard about the Marie Kondo organizing craze and maybe even sorted through your things to find the ones that “spark joy.” Well, don’t forget about organizing the stuff in your digital life, too. Just like our physical world, our digital life needs a little tidying up from time to time.
Here are five steps you can take to build good habits that will help you save time and keep your digital life in order — and you won’t have to throw out your phone or laptop!
Take a look around
One of the first steps to bringing a little order to your digital life is to look around your devices to figure out what needs fixing. Ask yourself, is your phone or laptop running out of space? How many duplicate photographs and video files do you have? Is that search made even more painful because you have several versions of one specific file with very similar file names?
Once you’ve figured out what your pain points are, it’s time to make a plan. What part of your digital life do you want to put in order first? One of the first steps I’d recommend would be to …
Purge unwanted files
Just like when you’re organizing your closet, you’ve got to clear some things out of your digital life, too. With clothing and accessories, you let go of the ones that just don’t fit or flatter you anymore. Maybe you haven’t worn them in months. It’s the same process with your digital things. If you’re not sure where to start, here are a few digital files you can quickly and easily purge right now:
Unused apps. Delete any apps that you haven’t used in the last 3-4 months because if you haven’t used them yet, you probably never will. iOS mobile users can let their phones delete apps automatically by enabling the “Offload Unused Apps” feature (in Settings).
Duplicates and blurry photos. Duplicates of any kind (like”burst photos” and screenshots) can head straight to the virtual trash can. Unlike physical copies that you can give to someone else (like pictures), digital duplicates just sit on your devices and eat away at valuable space. Also, if you can’t figure out what you took a picture of (or why), take one last good look and then let it go. Blurry and unrecognizable photos definitely don’t spark joy, so out they go! #enoughsaid
Text messages. Do you still have text from years and years ago? They could be the reason that your mobile device might be running out of space (especially if they include attachments). Head over to your settings to automatically delete those old texts.
E-mails. Before you trash all your old, unneeded emails, you should hit the “unsubscribe” or “spam” button first. Sometimes, those newsletters that you signed up for just don’t “fit” you anymore. Look for the unsubscribe button or link at the bottom of those emails so you can stop receiving them. Gmail users can also use an unsubscribe feature that’s native to the app. And, if a message is clearly spam, designate it as junk mail. Okay, now you can delete these emails and rest assured that all those unwanted messages won’t end up in your inbox again.
Put digital files in Folders
Resist the urge to dump everything on your desktop so that you don’t end up with a jumbled (and very distracting) mess. Once you’ve finished purging, think about putting your files in folders. For instance, you might have a folder for personal files and one for work. Other categories might include:
Vacations and travel (categorize by year or location)
Projects (including your side projects)
Photographs and videos (event or project)
Whatever folders or categories you decide to use, be sure that you use a name that’s easy for you to remember. If it’s too complicated, you’ll forget and start down a rabbit hole of frustration, endless searches, and disorder.
Keep your accounts safe
Since our lives are often intertwined with all things digital, we usually have lots of online accounts. Those accounts come with passwords that we need to remember, and it can be tempting to use the same password for each one. But, don’t do that! If one of your accounts gets hacked, all of your other accounts that use the same password will be at risk. And, please don’t put them on sticky notes on your laptop where they can be easily seen by others.
Let password manager apps, like LastPass, help. Instead of trying to remember the passwords for each of your accounts, you only have to remember one (your master password) and let your password manager do the rest. This is a huge time (and a brain) saver. Prefer using your desktop? Install the browser extension to organize and keep your passwords safe, generate strong passwords for new accounts, and even update some of your old ones.
Schedule digital maintenance days
Alright, when you’ve done all of the heavy lifting, that doesn’t mean you can “set it and forget it.” Once you’ve sorted, purged, and categorized your digital files, be sure to maintain the order you’ve created, or else things will simply go back to the chaos and disarray.
Start by scheduling digital maintenance days. For example, if you love taking lots of pictures and selfies, you could schedule a weekly (or monthly) picture purging session to get rid of all duplicates, burst and blurry pics. Set a schedule that’s easy for you to stick to and add a digital reminder so you don’t forget. And, for those days when things are a little hectic, a digital task list or checklist can come in handy.
Two out of every three people who surf the web use Google Chrome: it’s considered fast, reliable, and secure, and the Google Chrome extensions make it even better. The Google Chrome Web Store offers literally millions of extensions to choose from, and they can improve productivity while enriching your online experience.
Google curates its collection via Editor’s Picks and categories, but if you’d like to narrow that down a bit more, here are 9 of our favorite Google Chrome extensions we use every day.
I have about a dozen tabs open at any given time. OneTab is the equivalent of Marie Kondo from the Netflix show “Tidying Up” asking me, tab by tab, which ones spark joy. With a single click you can clear the clutter and all open tabs are condensed into a list within a single tab. My laptop likes OneTab almost as much as I do because it saves a whole lot application memory.
I have three active Gmail accounts and needed a better way to use and manage them together. Checker Plus for Gmail unifies notifications and previews and lets me read and delete email without having to open Gmail itself.
I have a bookmark problem. I have more than I’d care to admit and they aren’t well organized. Enter Bookmark Manager. Using a Google search engine, the Bookmark Manager can help you find that nearly lost Food Network recipe. When you bookmark a page, this extension will even suggest a folder where it feels it best fits.
Momentum is a visually-pleasing, personalized productivity dashboard. When you open a new tab on your Chrome browser, Momentum will serve up a photo, a quote that inspires or entertains, and ask you “What is your main focus for today?” and then display it to keep it top of mind. Momentum can manage your to-do list, display links to favorite sites, and report in on the weather.
This screen video recorder for Chrome lets you create screencasts and capture what is happening on your desktop, within a browser tab, or through your webcam. ScreenCastify lets you narrate and embed your webcam recording right into the screencast, and edit to create your final cut. Publish your screencasts directly on YouTube, export, or load up to Google Drive.
StayFocusd limits the amount of time you spend on websites that can pull a little too much focus from the ones you should be using. Set how long you will allow yourself to be on Facebook or YouTube and when your time is up, StayFocusd will block the site for the rest of the day. You also have the option to block specific pages or in-page content like videos and images.
There’s something about writing down everything I need to do that helps me to focus better. Unfortunately, I end up with too many lists in too many places. Todoist lets me get all my to-do’s out of my head and gives me one place to enter them, while they sync across my laptop, phone, and anything else that runs Chrome. You can easily turn a to-do into an active reminder, organize and prioritize your to-dos, and see daily or weekly overviews of your accomplishments (ever so more satisfying than crossing items off a list).
It’s difficult to get any sort of cinematic experience out of watching a video on YouTube, Vimeo, or Hulu on your mobile device. With this nifty extension, you click on a lamp button and the entire page – except the video itself – will fade to dark. It might sound simple, but after a day of staring at multiple screens this will make you smile.
Last but not least, there is LastPass, a password manager that saves all your usernames and passwords, generates strong passwords for you, and gives you secure access from every computer and mobile device you have. You only need to remember one master passphrase to access LastPass and everything you’ve stored in your digital vault.
Keeping up with the security industry and latest trends can be daunting, and you don’t always have time in your day to read your favorite news sources or blogs to stay up to speed. That’s where podcasts come in. There are some great security podcasts out there that discuss security news, new apps and services, or dive into in-depth topics you’ve always wanted to learn about. And the best part is you can listen any time– during your commute or even while you do dishes!
We rounded up some of our favorite podcasts to get you started.
This is a great podcast that covers all topics related to life on the internet in a fun and entertaining way. While it is lighthearted, it is also very well researched and reported. Start by listening to episodes #102 and #103 in which the host gets a scam phone call from a business trying to sell him fake anti-virus software. Instead of just hanging up, the host begins to investigate this company, even traveling to India to meet the men he spoke to on the phone.
Another great episode is #97 “What Kind of Idiot Gets Phished” where the hosts deploy a fake phishing attempt on the employees at their company to see who falls for it. You may or may not be surprised with their findings!
Smashing Security is a weekly podcast that covers security news from the previous week. Hosted by computer security industry veterans, Graham Cluley and Carole Theriault, they cover topics from cybercrime to online privacy and more. For example, their most recent episode covered payroll scams and the previous week discussed how the US government shutdown was affecting web security.
This podcast takes an interesting perspective to look at challenges that CISO’s face. It is hosted by David Spark, founder of Spark Media Solutions, and Mike Johnson, CISO of Lyft. Each episode includes a segment on recent security news and a segment asking a CISO’s opinion on that particular security topic. A recent episode explored an article about how human error, not hackers, are the main cause of data breaches.
CyberWire has several podcast offerings that explore what’s happening in cyberspace. They provide clear and concise summaries of security news and regularly have industry experts share their opinions. Recent episodes have explored Twitter bots and how they work, tips on protecting yourself from ransomware and more. There’s something for everyone!
Not solely focused on security, but the Vergecast provides lighthearted but well produced coverage of the tech world. If you like reading the Verge to keep up with tech news, you’ll love Vergecast. The hosts have a lot of fun while also keeping their listeners informed.
Not technically a podcast, but Twit.TV has tons of shows that cover tech and security. Good news is you can subscribe to the audio of these shows and listen without the video – just as you would listen to a regular podcast. They have shows specifically geared toward Android and iOS news and commentary, ones that cover weekly tech news, and many more. Also, The Tech Guy hosted by Leo Laporte is a particularly popular show.
Have any other podcasts you would recommend? Let us know your favorite security and tech podcasts in the comments below.
Cyber Monday is almost here, and the unofficial holiday gives you access to fantastic deals that help you jumpstart the process of buying presents for the holiday season — or treating yourself to a bit of retail therapy. However, it’s possible hackers appreciate Black Friday as much as consumers, if not more.
After all, fabulous prices on must-have items make people likely to whip out their credit cards and never think about the possibility of transmitting data in unsafe ways. Here are five suggestions for avoiding cyberattacks on Black Friday.
1. Use a Password Manager
When it comes to snagging outstanding deals as an online shopper, mere seconds can make the difference between buying an item and being too late because it’s just sold out. LastPass is an ideal complement to holiday shopping because it saves time without sacrificing security. Not only does it offer encrypted storage for login credentials, but it also stores credit card and address details.
Plus, because passwords get safely stored in a person’s LastPass vault, there’s no need to go through the frustration of forgetting passwords or resetting them while trying to shop.
2. Shop at reputable sites
Online shopping has become so common that we sometimes don’t check to make sure the sites we are shopping on have good security practices. Thankfully, in our recent blog post we created a “Online Retailer Naughty and Nice List” that evaluates top shopping sites on how they protect your personal information from all too common data breaches.
In addition, be sure to stick to vendors you know and avoid obscure looking sites that don’t follow the format of well-known retailers, as bogus websites are likely to pop up with only the intent to steal personal and payment information. If it’s your first time shopping with a vendor, conduct some research to ensure it’s a legitimate seller.
3. Use a Multifactor Authentication Solution
Multifactor authentication (MFA) requires people to have more than one proof of verification when logging into a website. For example, in addition to providing a password, they also might receive a code via text or email that they have to enter before proceeding.
Newegg and Etsy both offer MFA, and they’re sites people frequent while shopping online on Cyber Monday and otherwise. But, numerous well-known retailers still haven’t implemented the technology.
No matter where people go online, using MFA is more critical than ever for protecting accounts and the information within from cybercriminals.
Hackers prey on people who don’t have thoroughly secured accounts and let Cyber Monday deals distract them from staying safe online. MFA offers extra safeguards.
4. Sign up for a Credit Monitoring Service
Sometimes, the first red flag that a cybercriminal has attacked is a strange charge on a credit card bill. But, credit monitoring takes another step by allowing people to know about changes in their credit reports.
Some credit card companies offer monitoring to their clients. However, individuals can also participate in credit monitoring from specialty companies. Depending on the service, identity theft insurance might be available, too.
5. Beware of phishing attempts
Cyber Monday is a great opportunity for criminals to send phishing emails ridden with data-stealing malware. And while phishing emails can be extremely convincing, they’re often identifiable by typos, spelling and grammatical errors.
LastPass won’t autofill on sites that aren’t legitimate. For example, if you get a fraudulent email from someone posing as your favorite retail store – and you click the link you will likely be taken to a fake website meant to capture your personal information. Because this site is fake, LastPass won’t autofill your username and password. This is a great way for you to ensure you’re only visiting legitimate sites. You can also always launch sites from your LastPass vault to ensure you are getting to the correct website.
Shoppers should also be aware that in the haste to grab a good deal that common sense and standard security practices don’t go out the window. Unsolicited texts, calls, emails or social media messages could be an attempt to get you to hand over an account login or credit card information, so be cautious of anything that sounds so good that it’s unbelievable from vendors you don’t know.
Stay Safe This Shopping Season
Shopping on Cyber Monday is fun, but it comes with risks. These easy-to-implement tips minimize them and let people focus on finding the merchandise they want at outstanding prices.
While we may want to ignore it, Autumn is on its way. And that means back to school season is upon us. There are a lot of things to do to prepare yourself or your kids for the return to school. But when it comes to security, let’s make them as quick and easy as possible – so you can spend a few more weekends at the pool.
Online and device security may not be the first thing that comes to mind with the new school year, but more and more middle school, high school and college students have mobile devices, laptops, and online educational requirements. It is more important than ever that students protect their digital lives as much as adults.
Here are a few easy tips to protect yourself or your kids when starting school.
Create a password for your laptop and phone
Most devices come with a password option that requires you to enter or code or use your fingerprint (or your face for iPhone X). Ensure that you have this enabled for your phone and laptop. And remember to lock your computer every time you leave it alone.
You can also physically lock down your computer by investing in a cable lock, which allows you to secure it to a desk. This is helpful for college students who are working in coffee shops and libraries that are open to the public.
Use multi-factor to secure your email
Our email accounts are the hub of our online lives. And this is no different for students. Think of all the sites you use your email address for, and the network you’ve built with it.
Because of this, it’s essential to never share your email password. This is not like a Netflix password that many have decided is acceptable to share. Your email password is truly for your eyes only.
For extra security, enable multi-factor authentication for your email account. This adds an extra layer of security by requiring you to enter your password and provide an additional form of authentication – usually a code or your fingerprint. Enabling MFA means that even if someone gets your email password they won’t be able to log in without that additional form of verification.
Be careful of public Wi-Fi
Students often use public Wi-Fi when working in libraries, cafes or other places on campus. It’s important to limit your access to sensitive accounts, like banking, when on public Wi-Fi. Consider using a VPN when using Wi-Fi as well, which allows you to browse anonymously.
It can be annoying when software update notifications continue to pop up on your screen. They always seem to come at the worst time, but they really shouldn’t be ignored. Shutting down browsers and your computer itself is often all you need to do to initiate updates for your computer.
If you do see notifications, make sure you respond to them quickly. These updates include important fixes – sometimes addressing serious gaps in security or other issues.
Backup your devices
Loss and theft happen – no matter how careful you are. The best thing you can do is prepare by backing up your information. There are many cloud services that will back up your photos and documents automatically, so you don’t even need to think about it.
Also, you can save sensitive information in LastPass – like copies of insurance cards, Passports etc. This information needs to be protected, so saving it in the LastPass encrypted vault is your safest option.
To recap, here’s a checklist to double check your cybersecurity:
Set your computer to auto-lock.
Set your smartphone’s pin code or fingerprint ID.
Invest in a cable lock.
Err on the side of caution when sharing online.
Use a strong password for your email account.
Don’t share your email login with anyone.
Enable multi-factor authentication for your email account.
Use a password manager like LastPass to manage your accounts.
Generate unique passwords to avoid password reuse.
Respond to all prompts to update your software.
Restart your computer occasionally to ensure updates are completed.
Use a VPN if you need to access personal accounts on open WiFi.
Be mindful of the connection you’re using and what you’re accessing on that connection.
Back up everything to an external hard drive, regularly.
The internet is a complicated place. It’s where kids can find adorable dog pictures and the latest news on their favorite band or movie star, but it’s also the host of adult content that isn’t safe for kids. And just like you are at risk of exposure to data breaches and identity theft, so are your kids!
Fortunately, you can take steps to keep the danger to a minimum — without being too strict.
#1 Keep Their Online Identities Safe
When you’re coming up with a plan to keep your kids safe online, it might feel like technology is against you. The key is to find ways it can work to your advantage, too. LastPass saves everyone in your family from the hassle of remembering passwords. You already must recall things like doctors’ appointments and half-days at school. Why add passwords to the list of details you might forget?
Moreover, LastPass helps you achieve the goal of keeping your kids’ identities safe online. It’s crucial for you to teach them good password behavior from the start, including the importance of not using the same passwords for multiple sites. Kids visit many websites that require them to create an account, and it’s essential that the login details are different for each one.
LastPass helps generate strong and unique passwords and usernames for each site that needs them, then remembers them for your kids.
#2 Let Them Access the Right Sites
The internet offers specific sites and content channels for kids. That’s why children aren’t likely to need to access all the same pages that adults do. With LastPass Families you can create shared folders of what you want other family members to access. Perhaps a folder of streaming media sites to share with everyone, including your kids, and one for household bills with your significant other. Everyone has access to what they need, and nothing they don’t.
Outside of LastPass, you can utilize site-specific parental controls that restrict access to some content. For example, Netflix lets you create a profile that’s only for kids or require a PIN to watch material categorized by particular maturity levels or titles. And Google has a SafeSearch feature that blocks most explicit content.
#3 Control What They Can Buy Online
LastPass can also be used as your digital wallet where you store your credit card information, addresses and more. Using LastPass, you can digitally share access to an approved debit card with a limit you’ve set. Then, kids can participate in online shopping without you worrying they might overspend and ask forgiveness later.
LastPass also permits giving debit card information to kids without providing them with physical copies of the card. That way, they’ll have the details they need to make purchases, and you won’t feel the stress of them potentially losing your debit card.
#4 Discuss Sensitive Information and How to Protect it
One of the qualities of the internet that’s both good and bad is that children can use it to meet new people who share their interests. However, they may not realize how risky it is to tell online strangers where they go to school, which neighborhood they live in and their names.
As your child sets up new accounts online, walk through the process with them so you know the information they’re being asked for and point out why it’s important. Your name, zip code, birthday – all this information is valuable and needs to be protected. Also, make sure they know which information requires extra care – credit cards, social security numbers, etc.
Instead of completely stopping kids from using messaging apps, social media sites and other tools for meeting people online, discuss why it’s important for them to be careful about what they say and to involve a trusted adult if they’re ever in an uncomfortable situation.
#5 Keep the Computer in a Visible Area
Kids might want to use the internet without you looking over their shoulders all the time, and that’s understandable. But it’s still smart to have the computer in a place that lets you easily supervise what’s happening. Think about having it in a highly trafficked part of the house, such as a family room.
Granted, because most kids — especially older ones — have smartphones and laptops that can access the internet, it’s impossible to completely control when they go online and which sites they visit. Educating your children – as discussed in tip 4 – helps them make smart decisions about the internet activities they choose, since you can’t oversee all of them.
#6 Set Limits for Browsing and Overall Online Use
It’s important that kids have a balance of online and offline time.
For younger kids, it’s reasonable to limit the amount of time they spend online. Share that decision with babysitters and other caregivers.
Again, older kids will have more freedom, especially if they have their own smartphone. That’s okay! If you instil good habits and safe behavior from a young age, they will be able to handle this freedom responsibly.
Awareness and Proactiveness Are Crucial
The internet provides kids with an exciting world of knowledge and opportunities to make new friends and learn new things. When you take steps to remain as aware as possible and — more importantly — proactively teach young people how to navigate the internet in ways that keep them safe, you’ll increase the likelihood of a lifetime of fun, educational online experiences.
Many IT pros who work for small-to-medium businesses (SMBs) see themselves somewhere below the cybercrime radar. They often don’t feel their business is nearly as interesting and relevant to a cybercriminal and, as a result, have less to worry about. However, the challenges they face are no less daunting or serious.
Cybercriminals Are Paying Attention
Cybercriminals target SMBs because they’ve likely got more exposed vulnerabilities and opportunities to breach. In fact, according to the 2018 Verizon Data Breach Investigations Report, 58 percent of all organizations victimized by cybercrime are categorized as small businesses.
Cybercriminals also have better economies of scale to leverage these days. Malware attacks don’t require as much time, money or effort as they used to. And SMBs hold sensitive business information and personal data just like other firms. Even though it would be unlikely to hold records tied to millions of people, what they may have is just as easily marketable on the dark web.
In some cases there may be more value than just what an SMB has to offer itself. Some smaller firms’ networks can be connected to an enterprise-sized partner’s network. Once inside a compromised SMB network, a cybercriminal may find it easier to gain unauthorized access to the enterprise partner’s network versus attacking them directly.
To protect themselves better, enterprises are enforcing contracts, assessments, and policy on their smaller brethren. This only places a higher burden on the SMB to have security controls in place that can be out of reach.
The Challenges for SMBs
SMB security challenges might not be all that different from others when considering the fact that vulnerabilities, threats, and social engineering do not discriminate based on size or prominence. However, where SMBs and enterprises do obviously differ is size and scale and this disparity reveals some of the most difficult challenges SMB face, including:
#1 Security is Very Expensive
Technology and services that provide common defenses against cyberattacks can be harder to afford and maintain. Security vendors often do not charge on a sliding scale and tend to set prices where enterprises can afford it. In some cases vendor packages geared to SMBs can miss the mark because they don’t scale down small enough.
#2 People Aren’t Very Smart
Lack of security education and awareness among the workforce increases the chance of falling victim to a phishing attack. This doesn’t exactly mean people aren’t very smart, by the way. People just aren’t very likely to become smarter on a topic they don’t feel is important enough to them. Although this risk is common to any organization, an enterprise-sized firm is likely to enforce a formal education policy and courseware, while an SMB might not because of a false sense of complacency that they are not a target, or over-confidence that their workforce is plenty smart enough to defend itself.
#3 The Community is Very Elitist
The security community is elitist and SMBs security pros are often not invited to the table. A large or executive-level security media outlet or conference will purposely focus on pros from big firms to reach the audience with the most to spend. Enterprise pros assume a peer at an SMB wouldn’t have much to teach them anyway. It’s problematic for SMBs considering sharing problems and getting help from peers is a necessary part of anybody’s ability to manage risk. And given how an SMB IT pro may feel marginalized by the security industry, they might not even feel as worthy of attention.
Security is obviously way too hard for any SMB to handle perfectly, or even just really well. But with all this, there are still things are within reach to help become better protected against cybercrime.
Where to Focus Control and Ability
By focusing on where they can have more control and ability, on a reasonable budget, an SMB IT pro can reduce some of the highest risks.
A good place to start is with people and their most common behaviors that lead to higher risk of an incident or breach. After all, an SMB has the benefit of smaller workforce to reach and more opportunities to connect personally.
The 2018 Verizon Data Breach Investigations Report noted that phishing and the use of stolen credentials are two of the top three actions that lead to security breaches. Even just last year, Verizon reported that 81 percent of all breaches were caused by weak or reused passwords.
The good news is that any organization of any size can get better at password management by providing their workers with LastPass. For starters, it won’t break the IT budget or become another headache to maintain and manage. Users can store their passwords securely, while generating a unique, strong password for each and every one of their accounts.
And users don’t need to remember any of those passwords, either. All they need to do is remember a secret passphrase that only they know in order to access their password vault.
At the end of the day, one easy to remember passphrase can help solve some very hard to forget problems.
Security professionals do a lot of things right. They gain any number of certifications to prove they know what they know, and can do what they can do. They can assess, plan, and implement any number of security technologies as part of the mission to protect networks and information. But they are by no means perfect.
Security pros make mistakes just like everyone else. But they aren’t necessarily technical. Instead, they often lie in how they interact, communicate, and observe the actions of others and interpret them within the context of their own mindsets.
Perhaps the security community could learn a thing or two from their own healthcare providers and consider approaching security through a wellness model. According to the National Wellness Institute, “wellness is multidimensional and holistic, encompassing lifestyle, mental and spiritual well-being, and the environment.” The model surrounding wellness is essentially a conscious effort to help an individual become self-directed to achieve their healthiest state, based on awareness and choice.
Wellness programs at the workplace can include lunchtime walk teams or heart healthy cooking classes. As a result of active participation you may expect to take fewer medications, see the doctor less often, and even avoid the operating room down the road. In this respect the same holds true in security. If you are security-aware, that’s half the battle. Security pros are glad to keep you safe and self-governed. And they won’t complain if that requires less of their time and budget.
Let the wellness model trickle in to your daily work life and you may very well find you understand your customers and constituents better. You may also make fewer mistakes, like these four in particular:
#1 You underestimate complexity.
A wellness model is about making incremental changes to your lifestyle that are by and large agreeable to you. If you have high cholesterol, sure, we can throw medication at the problem but we should probably deal with it first by analyzing what you eat and consider some appealing options to make some changes stick.
As a security pro, you see a large number employees casually clicking on links within phishing emails. It’s second nature to apply controls like strong authentication to stop the problem. But if you were to look at the phishing problem through a wellness model, you may first consider security awareness programs to help users understand what a phishing email looks like to avoid clicking on a nefarious link. We often underestimate the complexity in people.
Doctors sometimes have this issue too. Let’s say you have a health issue that would get easier to manage if you lost 20 pounds. Just because the prescription is simple (“Just lose weight.”) doesn’t mean that it will happen.
Same goes when a security pro says “Just manage your network inventory.” Even though the answer seems simple enough, the orchestration of it is actually much more complex and difficult. Not everybody is in a position to manage inventory as you may think they should be, so try a different approach.
#2 You find it hard to relate.
It is hard for security pro to capture the mindset of a person in terms of how they interact with technology. We exist in a “security first” kind of world. As realistic as that may seem when your job is protecting information and even people, it is not going to always get you where you need to be because others’ minds are not in the same place as yours.
We have a warped sense of normalcy as security professionals. We live and breathe security. We find it interesting. The reality is that not many people find it that interesting.
If you find yourself in a meeting and are about to say something that starts with “from a security perspective…”, that should be a red flag or warning bell. You need to be able to phrase what you say outside of your own perspective and apply it to what needs to be done. That’s a much more powerful approach.
#3 You don’t listen well enough.
You learn about a problem that’s not terribly new. There’s an unpatched server attached to the network. You know already know how to fix it. No discussion needed, except perhaps an eyeroll. But have you really listened well enough to the point where you have a solid diagnosis? Perhaps not.
Find patience to better understand the underlying root cause. What failed down the line that led to server not getting enough attention? You’ve easily thought of the technology and people part of the problem, but is there a gap in process that you may have missed? Start thinking along these lines and you may find a larger issue that, once solved, will lead to fewer unpatched servers.
#4 You are not clear enough.
Security pros are naturally quite skilled at documenting security requirements, controls or policy. Sometimes our expectations exceed what we are providing in the first place. For example, your doctor wouldn’t expect your infection to heal properly if she simply said “Take this medication”, right? Without knowing how many pills to take each day, at what times, or before or after meals, a very effective medication could end up becoming useless. Or worse, harmful.
If you want to have a very specific outcome you need to very specifically guide people there. The more time you spend documenting steps the less time you will spend fixing mistakes that didn’t need to happen in the first place.
Communication is a two way street. Our job is to make sure we are received. And if that means adjusting our own mindsets a little bit towards the altruistic and away from the judgmental, then we may all be the better for it at the end.
Security awareness sums up the knowledge and behaviors that people within an organization have in regards to the protection of physical and information assets. It also sums up one of the hardest parts of the security management mix.
A maintained, ongoing security awareness program is a requirement within security control sets like the CIS 20 (it’s #17). However, there’s a key difference between awareness and the other 19 controls: awareness isn’t technical. Given that security pros are almost entirely technical, it’s not the easiest program to manage, yet alone help make flourish.
Security Awareness Doesn’t have a User Manual
The level of security awareness your organization has can vary greatly based on industry, size of company, and various points of experience. For those of you who work in highly regulated industry like healthcare or finance, or for a large public company, you probably have to take an e-learning course on cyber security once a year to tick off the compliance box.
The yearly training is a good start but it’s not enough to stop employees from making security mistakes – like clicking phishing links.
So how exactly do you get your fellow employees smarter on security to the degree where they become more informed and don’t make the mistakes that cyber criminals expect them to make? I don’t have a magic elixir for you, but here are six steps to getting started:
#1 Get support
Making sure your executives understand the value of security awareness is a critical aspect of your security program. They need to lead by example. It’s not the most expensive program but it is hard to get right. If you are going to dedicate time, resources, along with expectations for things like fewer successful phishing attacks, make sure your execs are in.
Next, build an advisory group of folks from different teams, disciplines and points of view. Run your content ideas for training and education past them first.
#2 Know your audience
How can you make security awareness successful across your company? For starters, get to know your end users. At most companies, your audience is not singular. You’ve got left brains and right brains. You’ve got baby boomers and millennials. You’ve got people who know enough to be dangerous, and others who know so little they are the most dangerous. In other words, your demographic is varied so make sure your educational content like videos and blogs is too. And don’t always make it so ominous and serious. Security isn’t silly but it doesn’t have to be the one not in on the joke.
#3 Make it an everyday opportunity
Apart from making your compliance team and the auditors happy, that one point in time every year when folks take the cyber security awareness course online is by no means your one shot at getting through to your colleagues.
Consider dozens of small touchpoints that different people will see or catch at different times, in different places, in different ways – all with the same point and message. Come up with new themes every month or quarter. Leverage broader events like National Cyber Security Awareness month every October. Even create a meme and tape it to your office refrigerator. There’s a lot of content out there that others would be glad for you to use with proper attribution.
#4 Keep it fun
While security is serious business, there are ways to get employees engaged and keep security awareness fun. For LastPass we recommend making adoption and usage a contest. Have employees compete to see which individual or team can get the most sites added to their vault in a week, or who has the highest security challenge score.
#5 Remember it is about human behavior
Security awareness, as a way to keep your company and its data more secure, involves something rather unique to the rest of the mix. It isn’t technical. It’s emotional. It’s not about a router configuration. It’s about what people think and feel when they see your latest memo about don’t do this or do a lot more of that. It’s about how they process information, whether it be in 5-10 second intervals or sitting down for a long read.
One way to make the best connection is to bring in the outside world to help. Make security awareness not just about security at work, make it about security everywhere. You’ve got employees who are parents and trying to get better at dealing with cyber bullying. Make your program about protecting everything and everyone they care about. It’s already going to be about the stuff you care about – your IT assets, your IP, your yearly audits. What’s in it for them? If you expect your colleagues to give you a few minutes, return the favor and share how they can be safer online no matter the context. For example, a password manager like LastPass can do a terrific job bridging security awareness between work and home by managing and storing credentials tied to any online account from your expense report portal to Macy’s.
#6 Every mistake is a learning opportunity
Be patient with your end users. If they make a mistake, and they will, make it a positive learning experience and do not threaten with a wall of shame. Use a phishing simulator and test your colleagues to see if they click on links within emails that they shouldn’t. If they fail, give them the chance to learn on the spot and move on.
However, if they fail five times in a row, maybe a little direct encouragement might be in order.