–General Data Protection Regulation (GDPR). This European Union (EU) regulation took effect in 2018 and provides extensive online privacy protection for EU citizens regarding their personal data. GDPR includes significant fines in the event of noncompliance or breaches.

–Health Insurance Portability and Accountability Act (HIPAA). This U.S. law passed in 1996 establishes a concept of personal health information (PHI). The law requires that IT security controls be implemented when handling PHI data processed by electronic health records (EHR) medical systems.

–International Organization for Standardization (ISO) 27001. This standard from the ISO was first published in 1995 and provides a framework for establishing and assessing an organizational cybersecurity program. As an international standard, it is used by organizations around the world.

–National Institute for Standards and Technologies (NIST) Cyber Security Framework (CSF). This standard, from the U.S. NIST, was released in 2014 and is widely used for cybersecurity program organization and assessment in the United States.

–Payment Card Industry Data Security Standard (PCI DSS). This standard was first released in 2004, with the intent to standardize cybersecurity protection of payment card (credit card) data stored by merchants and processors.

–Sarbanes-Oxley Act (SOX). This U.S. federal law was passed in 2002 and requires strict financial accounting controls for public companies, including cybersecurity. Similar laws have been adopted in many countries including Germany, France, and Japan.

–Firewalls. This technology provides network filtering at the perimeter and establishes boundaries—on the outside of the network—designed to keep intruders out. Enterprises may also have firewalls inside the network to separate manufacturing plants from administrative networks, or internet-facing servers from the datacenter. These firewalls may also perform advanced functions like filtering web traffic, authorizing network connections, and detecting cyberattacks.

–Guest networks. Enterprise networks typically perform official business only. Allowing guest devices to connect to these “internal” networks may pose an unacceptable risk. To address this problem, enterprises set up “guest” networks to give visitors internet connectivity, while isolating them from the enterprise’s internal networks and devices. These guest networks may be wired or wireless but should be clearly marked. They may be password-protected, requiring the “guest” to get “the password of the day” to authorize access. Guest networks are typically segregated to provide only internet connectivity, and do not provide connectivity to internal resources like applications or printers. You should make sure that guests connect to the appropriate guest networks and are properly authorized.

–Packet Capture Intrusion Detection and Prevention Systems (IDS/IPS). This technology filters network traffic for the enterprise and can detect (and block) potentially malicious network traffic. Packet capture further improves security by allowing cyber defenders to “replay” suspicious traffic to understand what happened. These systems are usually configured to catch typical cyberattacker activity and command-and-control patterns.

–Secure Wi-Fi. Many enterprises also have wireless networking installed. Wi-Fi makes it convenient for employees with mobile devices and laptop computers to get network connectivity. Wi-Fi may also be used for plant or medical networks, enabling mobile and movable equipment to stay connected while moving around the facility. Enterprise Wi-Fi networks typically have stronger protection than home networks, with passwords that change frequently, or requiring tokens or certificates to connect.

–Endpoint management. By centrally managing endpoint computers and devices, the enterprise can maintain inventory and asset control of its equipment and can also centrally oversee what software is installed and running on enterprise endpoints. This management can be important for software license compliance, and ensuring systems comply with enterprise policies or regulatory requirements. You should be aware if your endpoints are centrally managed, and comply with instructions when, for example, software or patches are delivered to your endpoints for installation.

–Endpoint hardening and monitoring. When endpoints are centrally managed, they will likely be configured to make them resistant to cyberattack. Endpoint computers will likely be configured with antimalware tools, network firewalls, data leakage protection, and web and e-mail screening. Endpoint agents may monitor user activity and send alerts of suspicious behavior to central administration consoles. You should be aware of the protections installed on your endpoints and the alerts those protections may display as you use them.

–Full disk and media encryption. Data stored on endpoints and mobile devices may also be protected using encryption. This protection may include full-disk encryption for laptop or desktop computer hard drives as well as removable media encryption for external hard drives and thumb drives. Whereas at home these capabilities are usually optional, in the enterprise they may be required for regulatory compliance. This type of encryption can be a significant protection for the enterprise when laptops or removable drives containing sensitive or regulated data are lost or stolen. Because the data is encrypted, the enterprise may not have to report the incident to regulators or publicly announce a data breach. You should be aware of your enterprise’s policies for disk and media encryption and comply with them. This awareness is especially important if you handle sensitive or regulated data in your professional duties.

–Data classification and data loss protection (DLP). In addition to hardening endpoints, enterprises may also use data classification and DLP software to keep track of what types of data are stored on endpoint systems, and to detect when sensitive data is sent in or out of the enterprise. These technologies may require you to label documents and e-mail messages you create with appropriate “tags” indicating the type of data they contain. In addition, documents and messages containing data that matches certain templates—like customer account numbers or social security numbers—may be automatically detected and flagged. You should be aware of your enterprise’s policies regarding data classification and protection, as well as its regulatory obligations regarding identifying and protecting sensitive data.

–Enterprise accounts. Enterprises typically establish “standard” accounts for employees, and may also establish accounts for contractors, partners, and customers. For employees, these accounts are often established when an employee is hired and removed when an employee leaves. Accounts are frequently tied to an e-mail address and protected by a password but may use multifactor authentication as well. You should understand the accounts issued to you, your responsibilities to protect those accounts, and report if you suspect your accounts have been compromised or abused. You should never share your work accounts with others, except as directed by your enterprise.

–Roles, access control privileges, and periodic recertification. When employees get enterprise accounts, they frequently get a basic set of privileges, like being able to logon to enterprise computers and e-mail accounts. Additional privileges beyond those may require special approvals and provisioning. Enterprises may establish roles for specific duties like customer support or engineering, with the roles enabling sets of privileges to access systems and applications. In addition, privileges may need to be recertified periodically—say annually—to make sure you still need the privileges assigned to you and to remove them when you no longer need them. You should be aware of the roles and privileges assigned to you, and your responsibilities for protecting those roles and associated privileges.

–Accounts for third-party services. Many enterprises use third-party “cloud” services for supporting business functions such as e-mail, sales tracking, human resources, benefits, or payroll. These services may use your standard enterprise account or may require you to establish a separate account (frequently it is your business e-mail account) for access. Unfortunately, with large numbers of corporate services this approach can result in many accounts and passwords you must manage. You should treat your third-party service accounts like your enterprise accounts and take care to protect them. Be especially careful with benefits and payroll accounts, as attackers who can steal these credentials may be able to intercept your paychecks or benefit payments.

–Authentication gateways, federation, and single-sign-on (SSO). To reduce the challenges and risks of employees having multiple accounts for enterprise, third-party, and other services, IT may enable you to logon once—usually through a central website—to get to other enterprise services without needing additional usernames and passwords. These capabilities are powerful and significantly improve employee experiences when there are large numbers of enterprise services. The tradeoff of this approach is that it places even more importance on the security of the employee’s main account and its credentials. If your enterprise uses single sign on (SSO), you should be extra careful with your employee credentials and be vigilant for potential signs of compromise.

–Privileged accounts. These are special accounts that can deploy or reconfigure IT systems, applications, or data. Privileged accounts may be required to access regulated or classified data not normally available to employees. Because of data sensitivity, enterprises may use password rotation or multifactor authentication to give privileged accounts additional protection from potential compromise. If you are issued a privileged account, you should understand your responsibilities associated with that account, as well as reporting requirements if you believe the account has been compromised or abused.

–E-mail filtering, phishing, and spear phishing defenses. These protections will usually reduce the amount of “spam” or other unwanted mail, malicious attachments, and major phishing and spear phishing campaigns. Studies have found that more than 90% of e-mail transiting the internet is unwanted, so these filters have a lot of work to do. Advanced phishing can be very difficult to block, so do not expect that e-mail filtering will protect you from all potentially malicious e-mail. However, it should reduce your risk. In addition, e-mail filtering may work with web filtering to further protect you if you should click on a link in a malicious message and get directed to a malicious website. Note that your protections may be different when you are in an enterprise facility connected to the enterprise network, versus when you are outside the enterprise network or on a home network. You should be aware of what e-mail protection is in place at your enterprise, and how it can and can not protect you from potentially malicious e-mail.

–E-mail nonrepudiation and encryption. As has been previously discussed, e-mail is notoriously insecure and advanced attackers can easily generate fraudulent and counterfeit e-mails that are difficult or even impossible to distinguish from legitimate messages. If you are involved in customer service sending e-mail messages to customers, you must deal with these challenges in your communications. These challenges include transmitting sensitive, confidential, or protected customer information, such as data for customers’ health care, accounts, or finances. To protect these transmissions, your enterprise may employ secure e-mail technologies that provide for nonrepudiation and encryption of sensitive messages. Nonrepudiation proves your e-mail message came from you or your organization and is legitimate. Encryption protects sensitive data in your message from being read by others as it transits the internet. You should understand what e-mail security features are available at your enterprise, and when and how you should use them to reduce your organization’s liability and potential exposure due to data breaches.

–Web filtering and decryption. These protections involve intercepting web browsing network traffic from enterprise computers and scanning that traffic for potentially malicious patterns. This filtering may include blocking certain websites, like social media or pornography. It may also include watching web traffic for data patterns like command and control signals, or transmission of large data files like databases or proprietary data. Filtering may be able to look inside encrypted web traffic (using https:// web addresses) and view private transmissions including passwords. Web filtering generally requires you to be connected to an enterprise network from an enterprise facility, but may apply to remote access as well. You should be aware of what web filtering policies exist at your enterprise, make sure you do not visit inappropriate websites, and understand how web filtering may protect you from malicious websites.

–Multifactor authentication. Whenever enterprises make sensitive IT resources available over the internet, it is prudent to use some sort of multifactor authentication to protect those resources. Multifactor authentication uses additional factors—like a card, token, device, or biometric—to positively identify you when you connect to enterprise resources. These additional factors make it considerably more difficult for attackers who obtain your username and password to impersonate you from the internet. You may be required to use multifactor authentication for secure remote access to your enterprise, and should follow the procedures for the technology being used.

–VPN. The simplest form of remote access is VPN, which uses a secure network “tunnel” to connect securely your computer into the enterprise’s internal network. A VPN can give you complete access to the enterprise network, as if you were sitting on a computer inside the office or headquarters facility. But this power brings risks, as it also means malware on your computer could also be given access to the network. To guard against this risk, VPN connections may include firewalls and network monitoring. You should be aware of the VPN policy at your enterprise and ensure you only VPN using authorized devices and under appropriate circumstances. You should be extra cautious with VPN when the computer you are using is trusted for sensitive operations, or is a personal system that is only lightly protected.

–Virtual desktop. To reduce the risk of employees connecting personal computers to enterprise networks using VPN, many enterprises deploy virtual desktop technology. This technology gives you a “virtual desktop” connection to a computer that is installed at the enterprise datacenter, using a web browser window or a custom client installed on your computer or device. The advantage of this approach is you get a complete enterprise desktop experience with the appropriate security measures in place. It also makes it more difficult for malware on your personal computer to “jump the gap” and attack the enterprise’s network. When using virtual desktop, you should be aware of the capabilities and limitations of the desktop environment and understand how you are to do common activities like exporting files or printing documents.

–Internet-facing applications. In addition to VPN and virtual desktop, many enterprises make productivity applications internet-facing. These applications may include e-mail, collaboration, file transfer, service requests, sales tracking, human resources, or benefits. The enterprise may protect these applications with multifactor authentication or may make them available using simple usernames and passwords. When using internet-facing enterprise applications, you should make sure you are on a trusted computer or an enterprise device. If on a personal device, you should take care with what data you are accessing, and make sure you are not downloading or uploading controlled or proprietary data that should not be leaving the enterprise.

–Bring your own device (BYOD) and mobile device management (MDM). To reduce costs and improve employee experiences, many enterprises have policies for BYOD and MDM. BYOD involves allowing employees to access enterprise resources using their own personal computers and mobile devices. BYOD may even involve allowing employees to buy their own computing equipment and use it for organizational purposes. When employees use personal mobile devices, enterprises may use MDM to create a secure “bubble” on those devices where enterprise data resides. This secured area is encrypted on the device and remotely managed by the enterprise, including the ability to remotely delete it. Enterprise data—like e-mail and documents—stays within the secured area for protection. If your enterprise has policies for BYOD and/or MDM, you should consider these policies and the benefits and challenges of using your own devices for company business, especially if the work you are doing is regulated. You should make sure your device and its configuration comply with enterprise policies, and report if you have concerns that your personal system may have been compromised with malware.

–Regular security awareness training. The foundation of employee cybersecurity training is for the enterprise to implement regular security awareness training and testing for company personnel. This training may include information on company security policy, evolving security threats, online scams, and IT basics regarding e-mail, social media, and collaboration tool usage. Training may also be required for contractors and partners who have access to enterprise IT systems. You should be aware of this training, take it seriously, and apply its guidance in your day-to-day work.

–Phishing tests and training. Phishing and spear phishing are the two most common ways cyberattackers get into enterprise IT environments today. Attackers may phish or spear phish employees directly, or they may get in through indirect means like a trusted partner or a VPN connection. As part of ongoing security awareness, many enterprises engage services to actively “phish” their employees. This mock phishing identifies those who are susceptible to real-world phishing and provides them with additional training on how to recognize and avoid being phished for real. You should watch out for phishing e-mails at all times and understand that some of them may be for training. Forward phishing messages to your cybersecurity department for follow-up.

–Executive and systems administrator training. Executives and systems administrators often have access to privileged and regulated information that is far more sensitive than what is seen by the typical employee. Compromise of one of their computers or accounts can have dire consequences including draining of company bank accounts or widespread destruction of company IT systems. Consequently, these personnel may receive additional training on cyberthreats and defenses against advanced attacks. If you are an executive or a systems administrator, you should be aware of the risks associated with your role, and the additional protections being applied to you, your computers, and your enterprise accounts.

–Cybersecurity monitoring. Incident detection starts with monitoring of the enterprise’s IT environment and its cyber defenses. Monitoring detects signs of malware, malicious network activity, malicious application activity, and malicious account activity when they occur within the enterprise. Monitoring does this detection by tying together sensors across the enterprise network, perimeter, filters, applications, and endpoints, and then feeding those sensors into engines that analyze and correlate detected events. You should be aware that everything you do on your enterprise IT systems may be monitored, and careless or malicious activity may raise alerts trigging an investigation.

–Cyber incident detection and investigation. Once the enterprise establishes security monitoring of its cyber defenses and other IT systems, it must establish criteria for incident detection and investigation. Network perimeters can generate thousands or even millions of events every day, most of which are of little consequence. Enterprises must “tune” their monitoring systems to identify real security incidents and investigate those incidents to find cyberintruders. This investigation involves identifying computers, accounts, and network addresses involved in malicious activity. You should be aware that your enterprise may have to investigate cyber incidents related to you, your accounts, your computer, or your colleagues. When such investigations occur, you will be expected to cooperate with investigators, which may include not using your accounts or devices for some period of time.

–Cyber incident response. When the enterprise identifies real cyber intrusions, it may find itself in a dangerous game of “cat and mouse” with the intruders. Professional cyber intruders can gain access to enterprises for days or months before finally triggering a massive data breach. This time may be required for them to find the data they are interested in, get access to computers hosting that data, and obtain user credentials with the privileges to access that data. When defenders discover an intrusion is in progress, attackers may have access to dozens of computers and accounts within the enterprise, which makes “kicking them out” extremely difficult. Cyber incident response involves repelling cyberintruders in such a way that it will be hard for them to get back in again. You should understand the seriousness and difficulty of incident response. And any cyber-response activities that involve you require your full cooperation and attention.

–Facility and personnel protection. Enterprise physical security and personnel protection programs might include door locks, alarm systems, security guards, and law enforcement liaisons. Personnel protection may include access badges, restricted areas, security screening, and metal detectors. Many enterprises are weapon- and drug-free zones, subject to local laws and regulations. You should be aware of the facility and personnel policies in place at your enterprise, take them seriously, and be cognizant of suspicious activity like strangers wandering around or propped-opened doors.

–Personnel security, background checks, and drug screening. Employee security and trust is an important part of enterprise protection, especially when sensitive or regulated data is being handled. Malicious or negligent employees or other insiders can cause immeasurable and irreparable harm when things go wrong. Regulations may require significant background checks, including drug screening for certain positions of trust or public safety. Enterprises may establish their own policies that exceed regulatory requirements, for many of the same reasons. You should be aware of the personnel security requirements at your enterprise, including requirements for background checks and/or drug screening. You should remember this trust is not just a one-time event and criminal activity during your employment may become grounds for dismissal.

–Security incident reporting. Any time an organization has a security program, there will also be security incident detection, investigation, and reporting. The organization may be required to perform certain incident handling for regulatory compliance. Also, the organization or the security office may do these activities to meet other business objectives like reducing theft losses, crime prevention, or protecting the safety of employees, customers, or guests. As a part of incident reporting, employees may be required to report certain types of security incidents, including suspected criminal activity. This reporting may include personal events like international travel, criminal arrests, or workplace accidents. You should be aware of your enterprise’s policies regarding security activities, and be vigilant toward looking after everyone’s safety and security.

–Enterprise backup. Just as with your home network, backups are the foundation of business continuity and disaster recovery. If the enterprise can not recover its computers, accounts, applications, and data, it will have nothing after a disaster occurs. Enterprise backup typically includes additional features beyond a typical home backup, such as backup of individual personal computers, backup of servers, databases, and enterprise data, and large-scale “bare metal” backup of enterprise servers and infrastructure. You should be aware of how enterprise backup works at your enterprise, including if any of the systems you normally use are not regularly backed up. If your personal computers are not backed up, you should think about what your contingency plans would be if your main computer were lost, stolen, or suffered a hardware failure. If you back up your work computer yourself, make sure your backups are protected with appropriate encryption and physical protection.

–Contingency planning. Your enterprise will likely do contingency planning for various adversity scenarios. These scenarios might include natural or man-made disasters, loss of facilities, loss of personnel, or loss of connectivity. Some situations—like the failure of a third party—may be handled more gracefully than others. Many scenarios may have adverse effect on the organization’s reputation or long-term impacts on its business. Many contingency plans have to do with keeping the most critical operational systems online even when things go wrong, while simultaneously dealing with the underlying problems and protecting the enterprise’s people. You should be aware of your enterprise’s contingency plans and how it intends to communicate with employees, partners, and customers in the event of a crisis. You should understand your responsibilities in the event of a crisis, and what you should do if personnel, facilities, and/or online systems are impaired or not available.

–IT disaster recovery. The final component of business continuity and disaster recovery has to do with recovery of IT systems. Enterprise disaster recovery planning should include plans to restore data and business applications after a “disaster” that might involve the dramatic loss of facilities, personnel, or significant impairment of IT systems and services. These disasters may be natural—such as hurricanes or earthquakes—or they may be man-made—such as power outages, espionage, sabotage, violent crime, or warfare. You should be aware of how your enterprise may act to restore its services in a disaster recovery situation, as is appropriate to your role. You should understand your responsibilities in a disaster situation, where you should go, the actions you should take, and the people with whom you should coordinate, so you can be a part of the solution in a difficult situation.