A 2016 Cybersecurity Intelligence report conducted by IBM found that 60% of all cyber attacks were carried out by insiders. Of those, only 75% were malicious attacks, while the other 25% were inadvertent. This means that businesses need to not only take precautions themselves to prevent cyber attacks, but they also need to educate employees on best practices to ensure they are not unwitting participants in attacks.
You might be surprised at how many of your employees naively believe that software downloads are safe as long as the software itself is from a trusted or respected brand. In fact, software downloads can be fraught with any number of risks. What they don’t understand is that where you download it from is just as important as what you download. The internet abounds with sites that offer free versions of many reputable paid programs. These downloads will often contain trojans, spyware, worms, viruses and other types of malware.
If possible, limit downloads to business machines. If you can’t, then set proper protocols for downloads and make sure employees fully understand them. All downloads should be run through antivirus and spyware scanners upon completion. In addition, you want to be sure and keep all company software programs up-to-date with the latest versions. One of the many things that software providers do with each update is to provide patches for any security vulnerabilities. If you don’t keep them updated, they could make your entire system vulnerable.
Every year, SplashData publishes a list of the top 100 worst passwords. They compile this list based on leaks of usernames and passwords culled from the dark web. Every year, passwords like 12345, 123456, 12345678 and “password” all top the list. The same way they did in 2015 and just as they did in 2011. Not only should your employees be making unique passwords, but they also need to change them regularly. Once every 90 days is not inappropriate, but once a month is even better.
Good cybersecurity works both ways. While it is important to teach, educate and train your employees on good cybersecurity protocols, it is also important to implement them yourself.
Establishing good protocols includes making sure that all work is backed up frequently. Not only can this protect your employees from losing valuable work (you might be surprised how often critical documents get deleted) but it can also help protect you in case of a ransomware attack.
In addition, you want to make sure you have a comprehensive cybersecurity suite such as Security Ninja PRO that includes tools for monitoring employee activity. While there is a great deal of debate over businesses playing “big brother” the truth is, data is too valuable of an asset these days to just simply trust your employees will maintain good security protocols on their own.
BYOD (Bring Your Own Device)
Millennials, in particular, tend to be very selective about which devices they use. Many prefer using their own cell phone to company tablets or computers. While many businesses are embracing this practice, the truth is you can’t monitor personal devices to ensure proper security protocols are being adhered to. Also, certain industries or businesses are more vulnerable to attack. In some cases it is because they have the most valuable data (such as finance or healthcare) in other cases, it is because they generally have the laxest security protocols.
Small businesses of all kinds are among the most at-risk industries for cyber attacks. While you don’t have to ban your employees from using their devices at work, you should think carefully and establish clear protocols around what they can and cannot be used for or how much access to give them on their personal device.
Spam and Phishing
You would think by now most people would know not to click on links or attachments, but you’d also think they would know not to make 12345 or “password” their password. And yet people still do. The good news is, you can no longer get a virus just by opening an email, but the bad news is ne’er-do-wells are getting smarter and smarter about getting you to click.
In many cases, they will scan company directories to find an employee name and create a fake email account that is very close to your business account. When you get an email that is ostensibly from another employee, you might not think to check the address to be sure it’s legitimately from your company before clicking. This is also a popular tactic for phishing. Rather than sending a link to click that delivers a virus or other malware, phishers will create fake accounts using the name of another employee and ask for sensitive information. In some cases, the information they are requesting may seem innocuous enough, but in the wrong hands, it can be lethal. In other cases, employees have inadvertently sent entire client lists or files to fake email addresses, causing massive data breaches.
At one time, cybersecurity may have seemed like something only large companies needed to worry about. Most businesses only concerned themselves with protecting or guarding their physical property or their financial assets. Now, if you have clients, customers or consumers, you have something valuable to protect. In the digital age, data has become almost more valuable (and easier to steal) than cash.
Eric Gordon is an independent business development and marketing specialist for SMEs. He loves sharing his insights and experience to assist business owners in growing their revenues. You can find Eric on Twitter @ericdavidgordon