In today’s digital world, our employees are our most robust line of defense and potentially our most significant vulnerability regarding cybersecurity. A simple misstep can lead to data breaches, ransomware attacks, and severe financial and repetitive damage to our organization, with the average cost of a data breach reaching $4.45 million in 2023. Additionally, cyber threats have intensified, especially with remote and hybrid work models, where breaches are estimated to cost an extra $1 million compared to in-office breaches*.* According to recent studies, nearly 99% of breaches can be linked to human error or manipulation, making employee awareness paramount in any cybersecurity strategy. To ensure our safety, it’s essential that we not only understand the basics but also move beyond them.

Let's get the no-brainers out of the way:

• Don’t use weak passwords.

• Don’t ignore software updates or use unauthorized software.

• Don’t click on suspicious links or download unverified attachments; this is the easiest way for malware to slip through.

• Don’t use public Wi-Fi without protection.

These basics are crucial, but the rapidly evolving nature of cyber threats demands more advanced vigilance from all of us. Below, we’ll cover 10 advanced practices every employee should be mindful of to protect our company against sophisticated threats.

Data security

Access corporate resources only from secured devices

With social engineering scams costing companies over $26 billion between 2013 and 2019 due to vulnerabilities in human behavior, taking precautions with devices is essential. We understand the convenience of using your device for work, but this is a significant risk without the proper endpoint security. If you’re using your laptop or phone, ensure it complies with our security standards—proper encryption, mobile device management (MDM), and antivirus protection. If unsure, reach out to IT to verify compliance.

Endpoint security is everyone’s responsibility

The cost of cybercrime is expected to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028, and organizations struggle to defend every endpoint effectively. Endpoint security isn't just an IT issue—it starts with each of you. Statistics reveal that 96% of tested banks were compromised through human manipulation, even with their advanced systems. This figure highlights the essential role of individual responsibility in preventing gaps in endpoint security. Unpatched firmware, unauthorized USB devices, or insecure configurations create gaps in our defenses. Please remember that all endpoints—from work laptops to personal devices—pose a risk if not adequately protected. Keeping your devices up to date and avoiding plugging in unknown USBs is a simple but critical step you can take.

Source: Statista

Never disable security features for convenience.

The cost of a data breach or reputation damage far outweighs the brief inconvenience of security protocols. Whether firewalls, antivirus, or browser blockers, these security measures are in place for a reason. Turning them off conveniently is akin to leaving the door open for attackers. Always contact IT if these features interfere with your work—there are usually better solutions than simply disabling them.

Remember: Encryption is not a silver bullet.

While encryption is an essential tool, it’s not the entire solution. Without proper key management, encryption can be ineffective. Always follow the procedures for storing and sharing encryption keys, and never embed keys directly in scripts or emails. 60% of global GDP faces threats related to data mishandling, a stark reminder of why encryption practices are critical.

Credential and login security

Never store credentials in plain text.

We can’t stress this enough: storing passwords in personal notes, unencrypted files, or easily accessible spreadsheets is risky. Instead, use a secure credential vault or password manager—these tools make it easy to keep passwords safe and prevent unauthorized access. The impact of compromised credentials can be enormous, as seen in high-profile breaches where attackers exploit weak storage practices to access sensitive data.

Source: Metomic

Never bypass MFA for convenience.

Multi-factor authentication (MFA) is our extra line of defense. It may seem like a hassle, but bypassing it or sharing MFA tokens with others, even briefly, can lead to significant vulnerabilities. MFA is a non-negotiable measure, especially for sensitive data. Let's stay secure and ensure that it is always enabled.

Properly secure API keys and tokens.

For those working with APIs, remember that API keys and tokens are as crucial as your passwords. Poorly protected API keys can be a hacker’s most accessible entry point. Keep API keys secure, rotate them often, and apply the principle of least privilege to minimize risks.

Source: Google

Access management

Handle privileged access with extreme caution

Not everyone needs privileged access, and for those who do, it’s crucial to follow Just-In-Time Access (JIT) principles to limit exposure. Role-Based Access Control (RBAC) offers a structured approach to granting access based on an individual’s role within the organization. This method is particularly effective in complex environments where multiple roles have different access levels, ensuring that no single user has excessive privileges unless necessary. Never share or reuse admin credentials; understand that these credentials should be logged and audited. If you’re unsure about using privileged credentials, check with IT.

Use only modern, secure VPN protocols.

Using a VPN is critical when accessing company networks, but not all VPNs are secure. Older protocols, like PPTP, are easy for hackers to exploit. Please use modern VPN protocols like OpenVPN or WireGuard for safe access.

Source: The VPN Experts

Don’t overlook incident response protocols

If you notice something odd—no matter how small—report it. Suspicious activity could be a sign of a broader attack. Reporting incidents promptly, even if they turn out to be false alarms, is crucial for our collective security. Please familiarize yourself with the response protocols, and never hesitate to contact your IT team if something feels off.

Final thoughts: Creating a culture of proactive defense

We face increasingly sophisticated cyber threats daily, and advanced vigilance is critical to protecting our organization. This means everything from strong endpoint security to proper credential handling, modern VPN usage, and timely incident reporting.

Each of you plays a vital role in our cybersecurity defense. By adopting these advanced practices, you contribute to your security and our company's overall resilience. Remember, a proactive, layered defense starts with each of us understanding the risks and taking action to mitigate them.

Let’s stay vigilant and keep our defenses strong.