The single most effective way to keep your cybersecurity awareness high and your data protected and secure isn’t any sophisticated technical defense system. It’s education.

According to research by Ironscales, 95 percent of all successful cyber attacks have the same root cause: Someone fell for a scam and unwittingly gave bad actors unwanted access.

This hacking technique is called social engineering. By definition, it’s when a hacker manipulates someone into divulging sensitive information—either directly or through the use of invasive malware—by way of a scam email, phone call, social media post, text message, or even face-to-face conversation.  

This means your staff members are potentially the weakest link when it comes to cybersecurity. It also means that educating your team on how to avoid common security threats presents a huge opportunity: The right training can reduce your risk of a breach by up to 70 percent.

To give you a head start, here are 10 critical security tips that you can act on today.

1. Don’t put too much trust in your spam filter. Spam filters will catch flagrantly malicious emails, but scammers know how to bypass these defenses and make their way into your inbox. There are a few common red flags that indicate an email might be a phishing scam. Your team should learn to recognize the signs.

 2. Identities can be deceiving. It’s increasingly easy for scammers to “spoof” emails and phone numbers and make them appear as if they come from someone, or some entity, you trust. If the request comes via email, make a phone call to verify with the sender. If the request comes via phone, hang up and call the contact back using a verified number.

3. Get approval before making financial transactions. Make it a policy to get approval over the phone and in a new email chain before transferring any money. A staff member at an association I’ve worked with nearly wired $180,000 to a scammer thinking it was going to the CEO in an urgent situation. Scammers have successfully stolen $3.7 billion this way.

4. Never click on an attachment or link you aren’t expecting. Years ago, you could identify a malicious attachment by its file extension. If a file was .EXE, it was likely dangerous, while .PDF was probably safe. This isn’t the case anymore. If you receive an invoice, receipt, or any other attachment or link you aren’t expecting, have your IT team look at it to ensure it’s safe to open.

5. If you find a random USB drive, don’t plug it in. Many of us would plug a foreign USB drive into our machines out of sheer curiosity, especially if it’s labeled "payroll." But bad actors will load malicious programs onto these devices hoping we’ll do just that. If a USB isn’t yours, leave it alone.

6. Avoid public WiFi systems unless you have a VPN. When your staff uses public WiFi, you are essentially run the risk of their activity being intercepted by a malicious third party. If your organization allows remote work, shield your data from prying eyes by using a virtual private network, or VPN.

7. Implement and mandate a password manager. Most people have too many passwords to manage, and they end up repeating weak passwords across personal and work accounts. Using a password manager makes it possible to use strong, unique passwords and change any that have been compromised.

8. Enable multifactor authentication everywhere. Many applications and websites—from  Office365 to Google to Amazon—now offer two-factor authentication, which adds a layer of protection to your account. Even if passwords are compromised, hackers can’t gain access unless they also have your cellphone or some other additional device. Always make sure multifactor authentication is enabled.

9. If you think your machine is compromised, shut it down. As scams grow more sophisticated, there’s always a chance you will fall victim. The moment you think something malicious is happening on your machine, prevent the possible infection from spreading by turning your computer off and calling in the IT team.

10. Expand your concept of data backup. Most associations have their servers backed up, but few organizations pay close attention to how their laptops are being protected. In the case of serious infections, restoring your data from backups can be your only recovery option. Make sure you won’t lose the data stored on your laptops. 

For a quick recap on some of the top cybersecurity considerations, watch this video: