The uninformed and the only-a-little-informed employees are your weakest link. 95% of security breaches involve someone simply making a mistake. Negligence is one of the most costly insider threats to businesses today. Surprised? While it’s true that malicious insider attacks are more complex, they do not occur as frequently as negligent threats. Negligence costs companies $2 million annually, and if you’re in small business, this could cost you the entire company. More frequent negligence incidents means more hours spent mitigating those threats rather than boosting productivity. Keeping your employees regularly updated on cybersecurity best practices is good for business and best for cyber safety.
So, it’s time to educate, or re-educate, your employees about cybersecurity. Rather than reiterating an outdated “Terms & Conditions” on cybersecurity, spend some time researching what will work best for your company. Here are a few helpful topics to start with:
Discuss Insider Threat
This could be mean discussing the auditing process, holding a trusted System Administrator accountable in monitoring system activity, or requiring administrator passwords to download specific files. It is important to be transparent with your employees about how their activity is monitored and managed. 58% of cybersecurity incidents can be attributed to insider threat, so it’s important to keep your company informed.
Emphasize Personal Responsibility
Cybersecurity is not just a System Administrator’s problem. Cybersecurity affects everyone in a business, so it is everyone’s personal responsibility to follow the policies in place. It is also important to talk about the size and style of the company. Just because you work for a small business doesn’t mean you aren’t at risk of a cyberattack. Just because you work for a large corporation doesn’t mean your flimsy, easy-to-guess password should be overlooked. Everyone is expected to follow guidelines built for the company’s protection.
Encourage Secure Browsing Options
There are plenty of secure browsers out there, so encourage your employees to use them. These browsers keep internet bots and agencies from tracking your searches and activity. Need a few tips for safe browsing? Hover your mouse over a link or download before clicking to see if the file is from a trusted source. Use a secure password manager like LastPass or DashLane. Report emails that appear to be phishing emails, which leads to our next suggestion.
How to Detect a Phishing Email
Nine out of ten phishing emails carried ransomware in 2016. It’s important to know how to sniff out a phishy email for the sake of your company. Oftentimes the first sign of a phishing scam is the “From” email address. For example: if you get an email from Amazon but the email is from “firstname.lastname@example.org” or “email@example.com.” These email addresses look harmlessly similar to Amazon because of the “support” and “noreply.” Don’t let phony email addresses like these take you or your company down. Another giveaway is the subject line.
Phishing scams usually have “URGENT,” “CHANGE YOUR PASSWORD,” or “RE-ACTIVATE YOUR ACCOUNT,” in the subject line. This a scare-tactic to make you believe you have to open the email and follow its instructions. Next, check to see if the content of the email is phishy. Check the spelling, grammar, and hover over any buttons or links before clicking them. If there is a link to your order from Amazon that reads “https://www.amazon.com/order-1777829/” but upon hovering, the attached link goes to “http://hackers.web.steal-your-info.net”…..it’s probably a good idea to avoid it.
Passwords are the first line of defense for a lot of pieces to your business’s puzzle. You need passwords to get into your workstation, your email, your bank account, etc. It is important to create different, secure passwords for each piece of the puzzle. Two-thirds of people do not use more than two passwords for all of their online accounts. We suggest using a password of 12-15 characters, complexity of alphabetical letters and symbols, and encourage the mixing of numbers, capital letters, and lowercase letters.
For example: “pAssW0rD15” is not a very secure password, though it looks complex. Try creating a passphrase that only YOU would know.
Better example: “I’m from Kansas and I like chocolate pie” could turn into “-4mks&-LYKch0C0P1” – looks complex, but only YOU can translate it.
Incident Report and Response
In the case of any cyberattack or even a negligent misstep, it is important to instill report and response protocols. These are policies your employees can follow to report any kind of phishing email, pop-up scam, or even a social-engineering call on a company phone. Response protocols should be followed through with a System Administrator or IT team to address further issues and fix any damage. Educate your company on the policies and protocols in place now, and send updates regularly to dissuade complacency.