Cyber security is an ever-present risk for small businesses, and employers may not realize that their employees present the greatest exposure—even when their intentions are good.
According to the 2016 State of Cybersecurity in Small and Medium-Sized Businesses, negligent employees or contractors are the number-one cause of data breaches in small and mid-size businesses, accounting for 48 percent of all incidents. An additional five percent are the work of malicious insiders. In contrast, external attacks by hackers account for only 28 percent of breaches.
Insider breaches may be caused by an innocent mistake or ill intentioned, but whatever the cause, the net effect to your business can be costly. To minimize the part your employees play in the breach of your company data, take these precautionary measures.
Keep your employees in the know and on the lookout.
Cybercriminals employ a wide range of tactics. They’ll send emails posing as a trusted source in need of confidential data, or entice a potential victim to click on a link that silently installs a computer virus that can spread, causing damage or gaining access to sensitive information. Ransomware will hold a computer and its data hostage until the victim pays the money demanded.
The cybercriminal’s methods can take many forms, but you can prevent employees from falling into their traps by advising them to:
1. Be on the lookout for phony emails. Misspellings, poor grammar or the demand to act quickly to avoid a bad outcome are common signs of criminal intent.
2. Verify the legitimacy of the source before responding to emails requesting personal information.
3. Identify and steer clear of suspicious links in emails, tweets, posts, websites and online ads.
4. Never download unsolicited attachments from people they don’t know.
Control access to company data.
The typical organization loses five percent of its revenues each year to employee fraud, according to the Association of Certified Fraud Examiners’ 2016 Global Fraud Study. Managing access to valuable company information is a vital, especially online.
Use network tools to protect sensitive files and company-confidential information and to monitor who has accessed what information and when. Assign levels of access to files, folders and applications based on an employee’s need to know, and grant administrator rights to only one or two trusted employees. Review access rights on a frequent basis and change privileges as necessary.
Set a password policy and enforce it.
Hackers make a career of figuring out passwords. They employ a number of means to do so, from spyware and automated tools to guessing based on information they’ve gleaned about a person online.
To thwart the work of cybercriminals, set a password policy and enforce it. Require employees to:
- Set strong passwords that are at least 10 characters long with a mix of upper and lower case letters, numbers and symbols.
- Never use the same password for more than one account.
- Reset passwords every three or six months.
- Never share passwords with others.
Ensure the security of mobile devices.
Business owners increasingly allow employees to use their own devices to work from home and while on the go. However, laptops, smartphones and tablets are susceptible to cyber attacks just as your office computers are. They can also be stolen or go missing.
To manage the security of your employees’ personally owned devices:
- Establish a policy that spells out what work-related activities an employee can and cannot do on their mobile devices.
- Install antivirus and malware software on all mobile devices in use and keep it up to date through automated means.
- Leverage the device’s built-in security controls such as lock screens and the ability to erase the device after a certain number of failed login attempts.
- Provide full disk encryption on mobile devices and removable media such as USB flash drives. This will prevent thieves from being able to read the data in the event that the device is lost or stolen.
- Require employees to report lost or stolen devices immediately.
Screen and monitor your employees.
When hiring, carefully screen candidates to identify those with the potential for malicious intent. For your on-board staff, use technology tools to monitor their daily activities online, especially those who have access to sensitive information such as personal or financial data, payment cards or medical records. This is an accepted practice for protecting your company’s assets; however, for transparency, it is advisable to establish written policies for your online monitoring activities and share those policies with your employees.
If you have a well-founded suspicion of employee violations, you may also consider surveillance equipment. New products on the market allow you to access your system remotely through the convenience of your smartphone, tablet or a web application. Before installing surveillance equipment, consult with your attorney to make sure you’re adhering to state laws on workplace privacy.
Provide employee training.
Most importantly, provide employee training and awareness education on all of the above. Teach them about the importance of security to your company, your customers and your reputation and their role in protecting your company data. Your workplace security depends upon their knowledge, vigilance and participation.