Let’s face it — your employees are highly hackable.
Regardless of how much money your firm throws at antivirus software and malware trainings, the ugly truth is that your employees are the ultimate weak link in your company’s cyber protection. While it may be disheartening to know that your firm will never be 100 percent secure as long as you have humans working for you, there are several things you can do to plug what can otherwise become severe data leaks.
Recognizing Human Error
According to multiple security companies, employees account for the majority of data breaches. While these breaches aren’t usually malicious on the employee’s end, they’re usually largely attributable to low awareness or education on the best security practices. Employees put your firm at risk by committing the following errors:
- Weak passwords and login credentials
- Reused login information
- Lack of phishing awareness
- Lack of communication between employees and IT personnel
- No segregation of business and personal accounts
Fortunately, each of the above errors is fixable through a combination of training, diligence, and constant security tests for both new and old employees. By making your employees aware of relevant risks, providing them with strict guidelines geared toward avoiding those risks, and testing their adherence to risks throughout the course of their employment, your business will be a much safer place.
General Security Practices
One of the most common security errors involves improper login credential use. This can encompass anything from reusing passwords across multiple accounts to leaving one’s business account logged in on a personal computer; whatever the violation, it usually links back to employees failing to keep their passwords secure (and unique) and their business logins isolated to their business computers.
Of course, some employees will need to access things like work email and web services from home. While you can’t regulate this behavior, you might recommend that employees use an incognito tab when using company resources from home. Similarly, make sure you communicate to employees the significance of keeping their personal antivirus programs and security updates as present as possible.
There is plenty of research that suggests changing one’s password often is actually less secure since employees tend to default to easy-to-remember options, so you might look into using a password manager and generator rather than allowing employees to choose their own passwords.
Phishing attacks—a type of security breach usually delivered by email that tricks employees into entering their login information or downloading malware—are perhaps the most frequent problem for corporate security. Luckily, they’re also the easiest attacks to protect against, as your employees will never have to encounter them if they don’t open emails or communications from untrusted sources.
Ultimately, the best way to prevent phishing attacks is by outlining proper communication etiquette for your employees and then sticking to it. For example, telling your employees that you’ll only communicate urgent information via phone or in person will keep them from opening a malicious “urgent” message that looks like it’s from you.
The same goes for website use: your company should have a whitelist (rather than a blacklist) of resources your employees can use, and any other websites—social media included—should be on a strict no-access list. This will both stop employees from accessing sites which pose a threat to your business and make it easier to pinpoint a weak link should one of your employees stray out of the whitelist’s parameters.
One of your primary onboarding tasks for new employees should include proper cybersecurity protocol. This entails a breakdown of what you can and cannot do on company computers, apps, accounts, services, and so on; it also means including them in company-wide cybersecurity trainings—potentially even before they officially begin working for you.
Modifying your older employees’ behavior may prove more difficult than onboarding new ones, so make sure that you’re holding a building-wide training on cybersecurity guidelines at least twice per year, and have your employees reaffirm that they’re ticking off all of the boxes on your security checklist (e.g., changing passwords, logging out of accounts when they’re done working, etc.). Posting your list throughout the workplace is also a good way to keep security at the front of your employees’ minds.
Once you’ve established your company’s guidelines for cybersecurity, you can begin testing employees at least once a month. Your tests may be as simple as sending out a fake email and seeing who opens it, or you might ramp up the challenge by involving password tests, checking your employees’ login history, and so on; however, the goal of each test should be to attempt to trick as many potential threats as possible, thus allowing you to isolate and retrain them as needed.
You probably pay your IT department handsomely, so it’s in your best interests to listen to their input. Whenever you’re in the process of developing or enforcing a policy, run it by IT before you set it in stone; they may have some additions or tweaks which will both make the policy more secure and ensure that you’re covered in the event of a breach.
Ensuring that your employees run their tech questions by the IT branch will also prevent communication problems down the line.
Cybersecurity threats in the form of your employees can pose a huge liability for any company. Educating your employees on the proper security protocol is a good first step; for more information on how you can make your workplace as secure as possible, call Abacus Payroll at (856) 667-6225 today!