If you believed the headlines plastered across some of the IT industry’s leading news sources, you’d probably think the biggest threats to your business were ransomware, DDos, phishing, and possibly even…smishing?? But before you rush off to google any of those, we want to let you in on a little secret. The biggest security vulnerability your network has ever, or will ever, experience is employees not educated on cyber-security from a technology user’s perspective.
Is there anyone on your staff who assumes protecting company data is someone else’s problem? What about employees who carelessly surf the internet for personal pleasure without regard for the threats that poses to your network? Staff members being unaware of the implications of their own security footprint is a big problem shared by organizations of all sizes and industries. From SMBs to large enterprises, it’s one we believe should be addressed with urgency to prevent a company-wide disaster.
The main problem with untrained employees is that antivirus, firewall, and web-security solutions are only as capable as the people shielded behind them. Think about it, you can have the longest, highest wall in the world, but if you toss the keys to the bad guys on the other side, the wall is pointless and you have no defense at all – just a false sense of security.
It’s easy to see how cyber-criminals have capitalized on the human vulnerabilities within your own network. Traditional hardware and software-based security strategies improve and become more comprehensive, yet phishing attacks jumped 250 percent during a six-month period between 2015 and 2016.
There’s simply no need for cyber-attackers to go through all the work of thwarting cutting-edge network security if it’s easier for them to create a website that masquerades as a trustworthy platform or service asking for access to restricted data. Think about it, do you know how to spot the difference between an online cloud platform informing you to reset your password, or an imitation website that steals your information once you’ve provided it?
Sadly, being overly trusting of emails and websites is just one example of dangerous employee habits. Carelessly sending confidential information without encryption, providing company details to unverified vendors in person or over the phone, and connecting personal devices to the company network are all totally outside the scope of your cyber-security technology. We strongly advise every business using technology invest in organizing and monitoring effective training sessions for all your employees, regardless of their access to company data.
Best practices training must include thorough education on avoiding common social engineering scams and a clearly defined code of conduct with regards to company technology and data. Employees can’t just be trained on what they need to do, but they must also be informed about what’s at stake if they fail to follow the guidelines you set forth.
Regardless of whether it’s the loss of personal devices that have been granted company privileges, or the theft of company devices that have been allowed to be taken off premises, both pose just as much of a threat as out-of-date antivirus software. Taking these devices outside of the office doesn’t just forego the protective walls of your network security, it puts your data within the physical grasp of thieves — and not just the digital sort.
From the breach of over 200,000 medical records to the theft of an NFL trainer’s laptop with thousands of players’ medical records, this type of data loss is far more prevalent than most business leaders realize. Even if you don’t have laptops or tablets for employees to take home, how many members of your staff have company email accounts on their smartphones? All it takes is one forgetful afternoon at the local coffee shop for thieves to literally get their hands on email attachments and sensitive correspondence.
In addition to training employees to avoid social engineering scams, we also suggest education for everyone in your organization regarding:
- Which devices are allowed to connect to the company network
- Which company devices are permitted to leave the office
- How those devices must be protected while checked out
- Which accounts can be accessed from devices outside of the office
- How to notify your IT support about the loss or theft of a device
The Importance of GOOD Passwords
According to a recent survey of 2,000 people from TeleSign, around half of your employees are guarding their online accounts with passwords that are at least five years old. And because that same survey revealed that 73% of passwords are duplicated from other accounts, if your employees use Yahoo, Dropbox, eBay, Adobe, LinkedIn, or PlayStation — the databases of which were recently leaked — your staff members’ passwords should be considered compromised.
Don’t believe us? How many accounts do you use the same password for? Famed boy genius Mark Zuckerberg’s password was leaked earlier this year. Can you guess what it was? ‘dadada.’ Two letters, six characters, and used across several of his other accounts. The story of Twitter’s CEO was almost exactly the same, only his six characters were ‘nopass’.
All the top-of-the-line technology in the world can’t stop a cyber-attacker with the password to your account. And that’s why somewhere amidst the training on safe online practices and guidelines for off-premises technology, you must have a lengthy discussion on healthy passwords. This isn’t just what makes a safe password in two sentences, it’s a dedicated session devoted to the frequency of password updates, variation across different platforms, and what makes a strong password.
The binary solutions of antivirus software, hardware firewalls, and intrusion prevention systems are essential elements of a comprehensive security plan. With the right processes, deployment and management of those solutions is almost entirely removed from your field of vision. However, keeping those solutions running smoothly and efficiently is not enough, it is absolutely essential for your staff to be assigned a training program to keep your data, your technology, and your organization safe from the subtle threats of human error.
Cyber-security isn’t one solution, it’s a layering of several solutions. Unfortunately, humans are often the weakest link in that chain. But thankfully, more than two decades in the technology industry has given us a lifetime’s worth of experience, and by investing just a couple hours, now you can prevent countless hours and losses in the future. The sooner you make that investment, the more it pays off — make the first move and contact us today.