October is National Cyber Security Awareness Month, which can mean paying extra attention to keeping intruders from breaching your company’s data. While tools such as firewalls and virus protection software can be critical ingredients of a secure system, employees may often be overlooked as a key to your system’s safety.
“Cybersecurity is not just about IT. The best detection tools only do part of the job,” says James Pooley, an IP and legal security consultant and author of Secrets: Managing Information Assets in the Age of Cyberespionage. “Hacks come from the outside, but they usually succeed only with help from the inside,” he says. “It’s usually accidental, like what happened with the Sony hack. Someone saw an email that looked legitimate and clicked on an attachment that opened a door, letting malicious software enter the system. It sat there like a sleeper cell, gathering data and waiting for the perfect time to strike.”
While external hacks make headlines, the most common data breaches stem from employee negligence, agrees Michael Bruemmer, vice president of consumer protection at Experian. “Cyber-attacks exploiting human mistakes are extremely common. It only takes an employee surfing the Web and accidentally allowing viruses on his or her computer or receiving an email from an unknown source and clicking on a phishing scam link to put the company at risk.”
Social Media a Culprit
Many people reveal a great deal about themselves on social media, believes Pooley, and that can allow hackers to “scrape” those sites for information and use it to craft messages that look like they're coming from friends or coworkers. “The message might have an attachment or a link to a fake website that hosts the invasive software. Everyone in a company has the potential to become an unwitting accomplice for hackers,” he says.
“Some of the biggest hacks are what we call social hacks,” agrees Erik Knight, CEO of SimpleWan. “Most of the time the computer systems are not what fail. It's the people problem. The quickest way to gain access to a system is to talk your way into it.”
Cyber-breaches will likely continue to get worse, so it can be critical for small-business owners to get a handle on the situation, Knight believes. “As Fortune 500 companies toughen up their security, hackers are going to start targeting smaller organizations, because they lack the procedures and technology to protect themselves. Technology is important, but the people factor can circumvent almost any of those technologies if not properly addressed early on,” he says.
“For every high-profile retail breach you’ve heard about, you can bet there were at least a dozen cyber-attacks on small and medium-sized businesses,” Bruemmer adds. “Small businesses are often preyed upon by cyber-criminals, who view the category as having fewer resources to manage cyber-security.”
Whether hackers succeed may depend on how careful you and your employees are. To help develop a culture of cybersecurity for your company, keep the following tips in mind.
“The single most important and cost-effective action any company can do to raise its game on information security is training, but it can’t be a one-time orientation video for new hires,” Pooley says. “To be really effective, training has to be continuous; varied, so it’s interesting; world class, which means hiring experts, and inclusive, [which means] executives have to join in.”
According to Pooley, the best training should include real-world examples that enable employees to see how cybersecurity leads to job security. “When an employee does detect something and report it, publicly thank the staff member—people notice that,” he says.
“Frequently remind employees about security procedures and conduct trainings every year,” Bruemmer says. “There are many other best practices to follow, including requiring mobile devices to be tested for security prior to connecting to networks or enterprise systems, improving access and authentication practices to make sure that only the appropriate employees and contractors have access to its information systems, and encrypting sensitive or confidential personal and business information stored on computers.”
Teach Red Flags
“Cybersecurity starts with employee awareness, so the more you teach them about the threats, such as phishing scams, adware, malware and viruses, the better,” says Kevin Layton, CEO of Data-Dynamix, which specializes in demographic data and marketing strategies. “Giving guidance about what to look for in emails and computer performance is very important to minimize the threat. Strong and changing passwords are also key, as well as policies that discourage sharing them.”
For the best protection, staff should be kept up-to-date on the latest cyber threats, believes John Canfield, vice president of risk management at WePay, where the company regularly does training to update employees. “For example, spear phishing is an email that comes from a cyber-thief but appears to be from someone within your operations or from another company you do business with in an attempt to obtain data. Staff aware of such threats can then double check to make sure the request is coming from a legitimate source rather than unknowingly releasing sensitive information.”
Have a Plan
Once cyber-threats are detected, employees should know what to do with the information, which is why having an incident response plan can be crucial. “A plan can help your company act quickly if a data breach occurs and acting quickly can help to prevent further data loss, significant fines and costly customer backlash,” Bruemmer says.
Read more articles about cybersecurity.