Top 20 Cybersecurity Practices that Employees Need to Adopt

People are a company’s most valuable asset. However, they can also be the company’s most significant security vulnerability. According to a report by Verizon data breach investigation, 27% of the total cyberattacks were caused by human error and negligence. The report also revealed that cyberattacks were not only a lurking threat to large companies and government organizations but also small businesses. Hackers targeted 70% of cyberattacks towards small businesses.

Indeed, companies can reduce their vulnerabilities by properly educating their employees on online and computer safety. Below are the best 20 cybersecurity practices that employees need to adapt to protect their companies better.

1. Avoid unknown emails, links, and pop-ups

Phishing is the act of hackers sending seemingly legitimate emails and links in hopes of gaining access to systems. If you are not aware, you may give an attacker access to your company’s system by clicking on malicious pop-ups and links.

Employees should take caution with attachments and links in emails from unrecognized senders. Phishers could quickly gain access to a company’s computer network system by tricking unaware employees into clicking on emails and links with malware embedded into them.

A simple rule to follow is avoiding entering any crucial or personal credentials or information in unknown emails, pop-ups, or links. Most attacks nowadays are orchestrated through hackers impersonating employees. By double-checking the legitimacy of any incoming online communication, you can better protect your company from cyber threats.

2. Be cautious with unvetted USB

As USB becomes the most common mode of data transfer, employees, or even the company itself receives USB drives from numerous sources. According to the Accounting MBA Online, a program at St Bonaventure, all USB should be treated as if they contain viruses or malware, no matter where they come from. Whether the USB devices come from the store or business-related functions, you should not directly plug them into computers that have access to the company’s computer network.

Some of the malware that might be on a USB is a keystroke detector or the USB killer that destroys any computer that the when you plug in the USB.

A good practice is to have the IT department double-check all USB devices before using them within the company. This is prudent because the devices could host hidden malware or virus that cause harm to the company’s systems.

3. Keep your mobile device safe

With the ever-changing technological advancement, mobile phones have become mini-computers, and a ton of sensitive information can be accessed from them. As manufacturers try to make almost everything as lightweight and portable as possible, the size of mobile phones and laptops is rapidly shrinking.

This trend makes it even harder to keep track of these devices, and a good number are consequently lost. If an attacker gets his hands on such a device, he may easily infiltrate a company’s system by posing as the employee-owner of the device.

As an employee, it is essential to ensure you are always aware of the position of your mobile devices. Leaving them in the open not only puts you at risk of cyberattacks but also the company to whose system your devices are configured to access.

4. Use strong passwords

As obvious as it sounds, it is imperative to use clever and strong passwords in accessing your company’s system or your own devices. Simple passwords are easy to figure out. If a hacker manages to figure out your passwords, he/she may gain access to your saved credentials and possibly access your company’s system.

Password bypassing software and tools are becoming more sophisticated day by day. It is, therefore, more important than ever to use well thought out and complex passwords to protect your devices. Other secure password practices include:

Using strong passwords that contain at least ten characters
Password characters should consist of upper and lowercase letters, numbers, and symbols or special characters
It is also very crucial to change these passwords regularly
Changing and remembering all previously changed passwords is a cumbersome task; therefore, a password manager tool comes in handy.

5. Using secure WI-FI

Most office wi-fi networks are well encrypted and safe. Public wi-fi networks, on the other hand, are unmanned and unsafe. a significant is because of their open access and minimal security features.

When working remotely, and you must use a public wi-fi network, it is crucial to ensure the safety of your company’s data by utilizing Virtual Private Networks (VPN). This is a good measure to keep your remote access to your company’s system hidden and secure. With hidden and untraceable online activity, it is almost impossible for anyone to tap into your device and access your remote transactions with your company system.

There are several useful VPN providers and software in the market that can be obtained for little or no fee. But it is important to note that free software is limited in terms of overall performance and features.

6. Ensure data protection

Just as much as we take caution not to share any overly personal or private information in social media, the same caution should be extended to work. By carelessly uploading information online, you might end up sharing details that might be used against your company. This could be bits of information that hackers may assemble and gain access to the company’s system. These bits could also be company sensitive information that other competitive companies could use to their advantage.

Users can deploy several security measures to mitigate this risk. Primarily, employees should always double-check on videos or photos of their workplace before sharing them on social media. Failure to practice this measure, they may unknowingly hint an attacker of the company access credentials by sharing a photo with a computer screen or whiteboard in the background. Employees should, therefore, take extreme caution on the information they upload online.

7. Install security software updates

Internet security service providers regularly update their software to match the continuously sophisticated malware and cyberthreats. If an instruction is sent by your company management to update software applications, it is your job as an employee to install the updates on your devices immediately.

Internet security service providers are always on the job to counter-attack any new cyberthreats and keep their clients safe. They, therefore, send software update notifications to subscribers of their services regularly. Not being at par with the latest protection software can leave you vulnerable to newly designed cyberattacks. This cybersecurity practice also applies to any IoT or personal devices that are used at or for work.

8. Use firewall protection at work or home

Similar to a perimeter fence, a firewall restricts unauthorized access to a network. A firewall is the first line of defense technique to bar cybercriminals from accessing websites and data storage sites of a company.

Employees can take this security measure a notch higher by also considering firewall protection for their home networks. Hackers can be cunning and determined. Access of a company’s network system can be initialized by hacking into home networks that connect to the system network. By installing home network firewalls, employees ensure better protection of their companies against the cybercriminals.

Employees can contact an internet security service provider to get more information on the available types of network firewalls. The most common types are:

Next-generation firewalls,
Proxy firewalls,
Network address translation and
Stateful multilayer inspection firewalls.

You can also inquire from your company if they offer firewall installation software.

9. Communicate with your IT department

Most companies have internal cybersecurity mitigation teams or IT departments. Employees need to work closely with the IT departments in order to better protect themselves and their workplaces against cyber threats.

Rapidly reporting any suspicious online activity and security warnings from the internet security software to the IT guys is crucial to mitigating any cyber threats on time. In case you hit a snag with any computer operations like software updates, it is very important that you consult with the IT department. The IT personnel may not be aware of every potential cyber risk that poses any security threat to your company. They, therefore, depend on the employees to provide them with the intel on any unusual online activities. It is also prudent to keep in touch with IT even you are working remotely.

For employees in companies that do not have internal IT departments, it is very easy to fall prey to false online IT or tech support. Take caution as hackers may pose as online tech support providers and render you a victim of phishing.

10. Embrace cybersecurity training and education

Most companies take their time to create cybersecurity awareness workshops and coaching to train their employees. They do this in a bid to reduce cyberattacks caused by human error and employee negligence. Any employee should be aware of the impacts of cyber threats and risks to sensitive information.

By willingly attending such training and workshops, an employee can spot and sort phishing emails and pop up webpages. Gaining knowledge about cyber threats enhances an employee’s skill to identify dangerous email attachments and as a result, prevent data breaches.

The educative training sessions also update employees on the newly developed types of frauds and ransomware. It is the responsibility of an employee to know and understand the company’s cybersecurity policies and accurately implement them. It helps a lot to be a little tech-savvy. This knowledge comes in handy when you remotely contact the IT department, and they need you to access the devices and provide some information.

11. Use Multifactor Authentication (MFA)

Multifactor authentication is a security feature that adds a secondary barrier to accessing accounts. Just as in the case of door locks, the more there are, the harder it becomes to break in. Therefore, it becomes thrice as hard for hackers to infiltrate your data.

Despite its benefits, 90% of Gmail users do not use MFA. As per Verizon in their 2017 data breach report, 81% of cyber-attacks result from weak and stolen passwords. MFA greatly minimizes data breaches caused by password related vulnerabilities.

Nevertheless, the popular phone numbers two-factor authentication is no longer safe; hence it is better to use MFA that do not involve SMSs. Employees play a huge role in ensuring minimal cases of cybersecurity of their company is not compromised. Using physical MFA such as Yubico Security Keys, employees can ensure that their accounts and devices are not used to infiltrate the company’s network system.

12. Be wary of Business Email Compromise (BEC) and CEO attacks

Attackers may also pose as an authority in the company. By replicating the emails of top authority such as CEO, the hackers may fool unaware employees into giving out sensitive company transactions or information. The unscrupulous cybercriminals posing as CEO may contact employees requesting urgent tasks, money transfers or even gift purchases.

To avoid exposing or sharing sensitive business information, employees should never reply to such emails. Instead, when you identify a suspicious character in email addresses, double-check for the legitimacy of the address domains. Hackers replicate email address domains in ways that are hard to detect immediately. Inconspicuous differences such as instead of are not easily spotted. Another safety measure against BEC attacks is to verify the legitimacy of such requests physically. This can be done by phoning the authority.

13. Create data backups

A backup solution is the best measure to keep personal and business information safe. One of the biggest threats to data is ransomware. Ransomware is a malicious program whose deployment is triggered by an employee clicking on malicious links or a computer getting infected from other computer networks. The program, once deployed, takes hostage the data storage sites. Data is deleted or rendered inaccessible unless the victim pays a ransom. Although the most common targets of ransomware are businesses, there has been an increase in the number of private user victims.

To prevent such scenarios, employees can ensure the safety of their data by incorporating continuous backups of their critical information. You can either use the cloud backup solution or the physical hard drive backup. The cloud backup creates a copy of your data on a server and hosts it in another separate location. Data can, therefore, be restored in case systems are corrupted or hacked.

14. Use malware and virus protection software

The use of anti-virus programs is a sure-fire technique to prevent intrusion of malicious programs into your computer network system. These malware and virus protection should not only be implemented in the office but should also be implemented on personal devices. In order to screen out malicious websites and messages, these programs should be installed in mobile devices, desktop computers, and laptops. The software continuously scans and weeds out suspicious files and messages from computer systems, ensuring a fulltime protection from cyber threats and malware. By understanding how to operate the programs, employees can minimize the volume of malware operating within the business environment. This reduces the chances of employees compromising the security of business information while accessing it from their devices.

15. Ensure proper device operations

To properly implement the company’s cybersecurity policies and strategies, an employee should ensure proper and adherent device deployment. By configuring business operation devices in line with the IT policies, cybersecurity measures are put well into use. To curb cybercriminals’ intrusion to company systems via connected devices, employees must deploy devices following manufacturers’ recommendations.

FTP and discovery capabilities of devices should be disabled if the IT department does not allow for such services. It is also prudent to disable device services that are not needed or currently being used. This minimizes the footprint or points of vulnerabilities to cyberattacks.

16. Verify the legitimacy of software

Contrary to the common misconception, not all software from trusted brands is safe. Carelessly downloading or installing software can pose a considerable number of security threats to the computer system and overall to the company. Prudently choosing what site you download from is just as important as selecting the brand of software you download. With numerous sites on the internet from which you can download free software, it is now easier than ever to fall prey to malicious programs posing as utility tools. Many variations of popular software are now available, most of which are trojan embedded.

An employee should understand and strictly follow the company’s laid out download protocols. Downloads should be limited to business computers as much as possible. Additionally, all downloaded files and programs should be run through an anti-virus and malware program to verify its legitimacy.

17. Be aware of social engineering

Rather than taking advantage of vulnerabilities in software and installed operating systems, social engineering takes advantage of the untraceable human error. Cybercriminals publicly gather information about their victims through social platforms to impersonate them. The attackers psychologically manipulate and trick their victims into handing out sensitive information. By use of well-structured research on the intended victim’s data and background information, the perpetrators can gain the trust of their victims. After malicious actors provide a seemingly harmless reason, employees innocently give away sensitive information about their company.

Employees can easily avoid such psychological traps by being extra cautious and aware when venturing into all cyberinteractions. Avoid all deals and offers that sound to good to be true. Most of them are scams

18. Use a Managed Service Provider (MSP)

Human error, although abatable, is inevitable. End-user errors, primarily, can be successfully managed through employing services of an MSP. By using the services of an MSP that offers Mobile Device Management (MDM), you can be able to locate or remotely wipe your lost device memory to prevent any data breach through the lost device. Hackers execute many attacks after gaining crucial pieces of information through lost devices. By obtaining information on the location of your device, you can manually reach it and involve the necessary authorities concerned with such cases.

19. Use data encryption

Data encryption prevents any unauthorized person from gaining access to data. Users can encrypt data to transform it into another form that only the person with the decryption key can access the message. Data encryption is currently one of the most popular data protection techniques used by companies. The aim of encrypting data is to protect the confidentiality of digital data. Employees can embrace data encryption as they transmit data to cloud storage. By encrypting crucial information and files in emails, employees can ensure the safety of the files during transit.

20. Avoid a messy desk

As obvious and simple as it may sound, a messy desk can be a source of many tiny crucial bits of information. During a typical business day, a lot of paperwork with important information may land on an employee’s desk. Notes from your boss, pieces of papers with passwords scribbled on them, and invoices are some of the vital information sources that may be easily left lying around on a messy desk. Furthermore, it can be tough to notice a missing file or paper on a messy desk. Therefore, it would take ages to connect a password breach to an employee’s messy desk.

Some of the best desk management practices for cybersecurity are very simple to follow. Do not leave any flash drives or digital storage devices lying around. Lock your cabinets or drawers. It is essential to ensure that you do not leave confidential papers on your desk for extended periods. When well-practiced, desk management can have a large impact on strengthening business cybersecurity.


Given the magnitude of key roles of employees in managing cybersecurity of their companies, it is vital to ensure that employees are well aware of the risks and impacts of cyberthreats to a business. There are many possible ways of minimizing instances of cyberattacks (most of which were mentioned above). By understanding that no one is immune to cyber threats, it imperative to work together as employees and the business administrators to fight the common threat. Simple practices by employees can go a long way in preventing the occurrence of cyber risks. Also, simple careless mistakes by an employee, like clicking on an unknown link, can be the cause of a company’s downfall. The vulnerability of a company is directly influenced by how well its staff is aware of the potential risks.