While it is important to realize that hacking is a real, external threat, it is even more important to remember that hacker’s take advantage of existing, internal vulnerabilities. According to the latest 2016 State of SMB cybersecurity study by the Ponemon Institute, 50% of SMBs have been breached in the past 12 months, and the # 1 Endpoint Security Vulnerability for business computer networks continues to be the negligent employees and the devices their use in the workplace.
Disgruntled, misguided, careless, or simply uninformed employees can cause serious damage to your computer network.
An alarming 81% of respondents say the biggest challenge is minimizing the threat of negligent or careless employees who do not follow security policies. It’s very common for a staff member to compromise an entire business network by opening a phishing e-mail (that’s an e-mail cleverly designed to look like a legitimate e-mail from a website or vendor you trust) and clicking on the bait links that can automatically download a virus and infect your employee’s computer and spread trough the rest of the network.
1. Strictly follow the principle of least privilege for every employee
Sometimes employees can compromise your business computer network because they lack training, or are being duped into trusting malicious source: they may mean well, but can let their guard down.
It is important, however, that business owners should not let their guard down. Sometimes intellectual property is being stolen or otherwise compromised by employees. A few years back Ponemon Institute conducted a study that determined some startling statistics:
- Half of the employees stole confidential information from their former employer when changing jobs.
- Over 50% of employees had sent business data to their personal email accounts; about 41% download your business data to their personal devices.
- Over 50% of respondents believed taking confidential information does not harm the company, while 44% feel that your IP is generally available and not secured.
- About 60% believe ownership of IP belongs to the person who created it, not the company they were employed with.
It basically comes down to the point that most employees do not believe that Intellectual Property and Data Safety are a big deal.
What can you do to make sure your data is not compromised? Limiting user access to data and information, and/or limiting authority to install or uninstall the software can go a long way in protecting your business computer network and sensitive data is a great first step! It is important not to provide any one staff member with complete access to all business data systems. Your employees should only have access to specific data systems and limited information that they only need for the business purpose. Employees should not be given the authority nor the ability to install any software without permission and approval of both business owner and your IT personnel in charge of cybersecurity.
2. Require your employees to follow passwords and authentication policies
According to the Ponemon Institute, “59% of SMBs have no visibility into employee password practices and hygiene.” All of your employees must use passwords that are both complex AND unique; require passwords change at least every three months. For best practice, implement a multi-factor authentication ( it requires additional information beyond a password to gain access to the systems.)
3. Train your employees to identify dangerous email that hackers use to take advantage of your business
The most prevalent cyber attacks against small and medium-size businesses are web-based threats and phishing/social engineering.
How do phishing emails fool you and your employees into opening them and clicking on dangerous links?
- By looking legitimate. Beware of Account Impostors: they make emails look very real by imitating content that can come from an actual source such as your financial institution or popular merchant. For example, the link may say “americanexpress.com” but the actual link on hover displays as “americanexpress.sr01.digit.com”. Try to just hover (BUT DON’T CLICK) over the URL in the suspicious email to see the actual URL of a webpage you may be directed to. If the visible link says “americanexpress.com” but the hover link says something completely irrelevant, something like “xyzserver.pops32.malaysia” – make a good judgment call, don’t click, just delete the questionable email and go directly to the website of the resource you want to visit. Remember: Not everything that looks legit, is.
- By clever usage of spelling errors. Hackers are not stupid, and most of those errors are there on purpose: modern anti-virus programs check incoming mail for “common offenders” by comparing the content with a database of commonly used phrases practiced by hackers. For example, if an antivirus is checking for “Free Credit” it may not catch “Free Credlt ” – with a letter “l” instead of a letter “i”, but a human eye would still read it without problems. So if you see an email with “typos” like these, it is safe to assume it is a phishing attempt.
- By representing authority. Hacker’s count on your trust in the authority, and use certain language to gain your trust. Be suspicious of emails that ask you to “confirm”, “validate”, “activate”, or “verify” your personal information or ask for your login credentials. Think logically: why would your bank need you to verify your mother’s maiden name or the security pin, or your account number? They must already have that information, and the only time they should verify it is when you call in, to make sure you are who you say you are.
- By counting on scare tactics. One of the most common social engineering tools is counting on a human response to a sense of urgency or fear. It is often utilized in phishing emails: if you see the subject line that claims your “account has been deactivated”, “your card is suspended”, or your account had an “unauthorized login attempt,” trash that email! When in doubt, call your financial institution directly.
- By calling to temptation. We are not just talking about obvious “foreign lottery”, or “inheritance from a relative” you never had, or “Nigerian prince looking to part with millions” money scams – but less-than-obvious ones, such as sale coupon claims, free exotic vacations or deeply discounted limited time super-deal offers on otherwise expensive buys such as famous brand watches, pricey items, vacations, cars, etc.
Communication is Key
Communicate regularly with your employees – make sure that all of your staff members are well-informed, trained and legally required to follow your organization’s cybersecurity protocol.
If you would like your employees to opt in for these security tips and download a free report we’ve recently published on protecting yourself from cybercrime, forward the link to our IT Security Tips Archive: http://www.powersolution.com/it-security-tips-archive/
If you want a more thorough approach to educating your employees about security best practices, consider adopting an acceptable use policy (AUP) for your company and train your employees on how to avoid data breaches and cyber-attacks. If you have any questions and would like to speak with one of our IT specialists right away, just call at 201-493-1414.
Need to speak to our security experts? Our managed services can keep your business data safe.
Or you can also just give us a call directly at 201-493-1414
If you are looking for a reliable, professional IT security experts and tech support company in New Jersey, we can certainly help.