Hey, what’s your password?


Business etiquette has one golden rule: treat others with respect and care. The same is true for encouraging cyber safety at work, on everything from password security to keeping valuable information like tax file numbers safe.

But how can you encourage cyber-safe behaviour at work without becoming the office grouch? The trick, as it often is in life, is to encourage the right behaviours tactfully and by offering helpful solutions.

Vilifying or mocking those who “do the wrong thing” is unlikely to help. In short, offer alternatives and not reproach. Many organizations have policies to prevent password sharing (and most, by now, would hopefully actively discourage people from keeping passwords on a Post-it note stuck to a computer).

However, asking others for a password is not yet necessarily considered taboo. Perhaps your colleague wants to use your computer and asks for your login. Or they may need access to a shared repository such as Dropbox but have forgotten the password. If you’re reluctant to share your personal password, or broadcast a team password in Slack or on a group chat, your instincts are correct. Passwords are deeply valuable pieces of information, and many catastrophic security breaches can be traced back to poor password management at work. But if your colleague asks for a password, rather than responding with a short, sharp “no”, soften the blow by asking why they want it. If there is a legitimate reason, work with them to resolve the issue — without giving anything away.

“If you're reluctant to share your password, or broadcast a team password in Slack in a group chat, your instincts are correct. But mocking those who 'do the wrong thing' is unlikely to help..”

‘Please fill in this confidential form and email it to me’
It’s not uncommon for IT, HR, finance or well-meaning admin support staff to ask you to fill in a form with sensitive information and just “email it back”. Even doctors and lawyers have been known to mishandle documents with signatures, tax file numbers or other identifying information such as birthdays. Don’t feel under pressure to do it. The fact is, such information is invaluable to hackers and identity thieves. Should your workplace email suffer a data breach, bad actors may be able to retrieve these scanned forms from inboxes they’ve invaded.

Most organisations have secure ways of transferring files, varying from a secure cloud storage solution to secure file sharing sites. Use them, and never your personal email or cloud solutions. If your organisation doesn’t have a secure way to save the files you can use one and send your colleague the link in a work email. Alternatively, you can send an encrypted PDF in an email, which means much tighter control of who can access the file. Sometimes the safest solutions are the simplest.

Go old-school: walk the documents over to the person instead of scanning and emailing them. If you’re asked to send personal information in an insecure way, hide your Pikachu face. Instead, say: “We’re supposed to be transferring files this way. If you want, I can show you how for next time?” Offering a solution, rather than shaming, is much more likely to lead to change.

Can you pass on my resume?
Job-hunters may try to get their foot in the door by leveraging a friend or ex-colleague. Many of us would be keen to help a friend by passing on their CV to the boss. Unfortunately, malicious actors of all kinds also know this. As outlined in this article, fake CVs can be sent by email with a Microsoft Excel attachment. When opened, the attached file can launch malware that:

“…then attempts to hijack private information, credentials from users of targeted financial institutions, and passwords and cookies stored in web browsers. Attackers can then exploit these acquisitions to make financial transactions.. ”

Malware is not just embedded in links and attachments - even LinkedIn messages can contain malware. The consequences of opening such links or attachments can be extreme, and may even include ransomware (where hackers refuse access to files or online systems until the victim pays up).

Don’t pass on CVs, especially if the person is a friend of a friend. Instead, pass on the person’s name to the boss, so she or he can look them up on LinkedIn. Don’t follow links sent to you, even by trusted contacts. Links can often be difficult to check without clicking on them and you may be redirected to a malicious site.

But by treading respectfully, and helpfully, you can improve your office reputation as a cybersafe staff member and help reduce the risk to your organisation.