As originally published in the American City Business Journals.
(Or, take a look at this same piece as it was published in the Upstart Business Journal!)
Raise your hand if every single member of your organization is supremely tech-savvy and 100 percent up-to-date with the latest trends and threats that are out there.
We all know that cyber threats are only increasing in quantity and sophistication as time goes on. And hopefully at this point we have also accepted that no business is too small to be the target of these attacks.
Putting the proper technical controls in place to secure your network is a great start, but your greatest vulnerability will always be your people. That’s why it’s your responsibility as a business owner to make sure your staff is educated enough to keep your data safe.
While regular, professional training is ideal wherever possible, you must at minimum make sure your staff knows to:
1. Use strong, unique passwords
In 2015, despite all of the headlines and hubbub about data breaches, the 5 most popular passwords were “123456,” “password,” “12345678,” “qwerty,” and “12345.”
Don’t let these be the only thing between hackers and your data. Create a password policy, and have your IT team help you enforce it across your network and applications. If there are concerns about memorizing so many different passwords, outfit your staff with a password manager like PasswordBox or Dashlane.
2. Lock their computers when they step away
How easy would it be for someone today to walk into your office, go up to a computer, and access sensitive, proprietary information from your network? To make changes? To send bogus emails?
According to the International Facility Management Association, around 70 percent of offices today have open floor plans. So, chances are it wouldn’t be all that difficult. Train your staff to lock their machines every time they leave their space — even if it’s only for a moment — and set a central information technology (IT) policy to automatically lock machines after inactivity as backup.
3. Call to verify suspicious emails
Email spoofing has cost businesses nearly $750 million between October 2013 and August 2015. Just this April, my chief operating officer received a message from my email address requesting he wire nearly $20,000 to a bank account in Missouri.
We can no longer take for granted that an email is truly coming from its apparent source, and we must approach any email that feels even the littlest bit “off” with serious caution. In this example — besides the fact that I would never request a wire transfer — the very formal, very uncharacteristic “kind regards” in the email signature was a dead giveaway that the message was forged.
Before clicking attachments, links, or sending any money or sensitive information, your staff should know to call the supposed sender to verify that the original message is legitimate. (And make sure your team members accept these calls graciously so as not to discourage the practice.)
4. Turn their machine off immediately if they’ve been compromised
If you aren’t able to prevent an attack in the first place, the next best thing is to stop it from spreading to the rest of your network.
If ever a staff member suspects that their machine is infected with any kind of malware, be sure they know to (1) shut their machine off, and (2) call your IT team. The more time you lose to panic or confusion, the more time that malware has to infect the rest of your environment.
5. Save their files where they’ll be backed up
Does your backup system touch every staff member’s local drives? Their desktops? Network drives only?
Check with your IT team to see where your staff should be saving their files, and discuss this with every staff member as part of their onboarding. Remember: Backups are your only defense if you’re hit with ransomware, or if disaster strikes.
These are simple practices, but they won’t be top-of-mind unless you incorporate them into your standard training routine and your corporate culture. Your IT team should be able to help you with this, too.
Above all, don’t let the fate of your company’s data rest on assumptions and good intentions. The risk is far, far too high.