Today’s businesses face digital threats of all sorts. Data breaches make the news just about every week (and those are just the ones we know about). Bad actors are looking for vulnerable websites and databases, hoping to capitalize on small technical mistakes and find a way in. It’s enough to keep a small business leader up at night.
That reality is scary, but this one’s even scarier: for many businesses, the greatest threat to the business’s data and security isn’t external. It’s the employees themselves.
Problem #1: Saving Files Locally
One of the easiest ways for your employees to put business data at risk is by saving files locally. Most of us are familiar with saving a document to the “Documents” or “My Documents” folder on our home computer. Sometimes, the fastest way to get something done is to drag a file to the desktop. But in a work environment, these are not secure methods for dealing with files.
Why? Because saving files in this way saves them to the local computer, which is rarely (if ever) backed up. The file actually resides on the machine sitting in front of your employee, and that machine is physically vulnerable. All it takes is a component failure, a freak electrical surge, or even a spilled cup of coffee, and all the files stored locally could be gone forever.
Solution #1: Save Business Files to the Right Location
Most businesses already have some kind of central location for business files set up. This could be a company drive, a company server or a cloud storage solution. Whatever the format, this location will be backed up regularly. If something happens to the physical piece of equipment where the files are stored, your managed IT provider will be able to retrieve a backup copy of the lost files.
If your business doesn’t have a network or cloud storage infrastructure set up yet, we can help with that, too.
Problem #2: Falling for Phishing Emails
Phishing emails are another big concern for small and medium businesses. They don’t attack your network or your data directly; instead, they attack your employees’ gullibility. And they can be highly effective, because it’s nearly impossible to eliminate human error completely.
An email-based phishing attack will imitate a well-known company, like Microsoft, Apple or Amazon. An unsuspecting employee may receive an alarming email from “Apple” that tells them there’s a problem with their account, and they need to click to resolve it right away. When your employee clicks the link, they are taken to a realistic-looking sign-in page that asks them for their Apple credentials.
Of course, the email isn’t really from Apple. And if your employee signs in, your employee’s credentials are now compromised. They’ve been phished.
Why are these phishing campaigns so successful? A few reasons. First, the people sending these messages have gotten pretty sophisticated. The messages often look pretty convincing, with realistic graphics and messaging. Also, there is often an urgency about these emails, kind of like the spam calls that tell you, “the IRS has an arrest pending against you.” (Spoiler alert: they don’t.) The phishers are smart, and they’re trying to scare your employees into acting without thinking critically.
Solution #2: Technology Plus Training
The solution here is twofold. First, you need the right technology solutions. Strong spam filters will reduce the number of phishing emails that get through (just check your Gmail spam folder to see evidence of this).
Capable virus scanners will mitigate the threat of unwittingly installing a virus via a phishing scheme.
But second, you need effective training for your employees. No amount of technology can completely remove the human element, so make sure the humans that work for you know what to look for. There are several web-based phishing quizzes available, including quizzes from Google, the FTC, and OpenDNS. These are a great place to start, but a quality managed IT services provider will offer more in-depth phishing training.
Problem #3: Using Personal Computers to Do Business Tasks
While BYOD (bring your own device) is growing in popularity, we don’t recommend it until organizations reach a certain size where they can afford to support it and can have clear IT governance in place. There are plenty of ways that using a personal device for work can create security risks, and most small businesses aren’t equipped to deal with these security holes.
For example, you can’t control what software employees install on their personal computers. You also can’t control the environment in which they use their own devices. You don’t want a personal virus-filled machine accessing your network, nor do you want the possibility of a personal device getting stolen while logged in to your most sensitive resources. Further, a personal machine with an outdated operating system could have security loopholes, giving attackers a way into your network.
Solution #3: Secure Network Infrastructure with Approved Business Devices
When you own the computers, you control the rights management, software installs, and software and OS updates. Don’t allow BYOD until you’re absolutely sure you’re ready for it (and that your managed IT services provider is ready to support you supporting it). Also, be sure your company-owned equipment is staying up to date. This, too, is something your managed IT partner will handle for you.
Problem #4: Poor Password Hygiene
Poor password practices often put business data and security at risk, and these can show up at all levels of an organization. Think of usernames and passwords like physical locks. Padlocks are a great tool for keeping your stuff safe. They aren’t foolproof: if someone is determined enough and has access to the right tools (say, a blowtorch or a sledgehammer), they can get through the padlock. But it takes effort and intentionality. However, if you leave the key to your padlock taped to the back of the lock, it loses all value at protecting your stuff. If anyone can access the key, anyone can open the lock. Passwords work the same way. They tend to be pretty effective when used properly. But if your employee keeps a list of important passwords on a sticky note under the keyboard, the passwords are nearly useless. Anyone who gains physical access to the workspace can steal those credentials easily. Another issue with passwords is that they can be hard to remember. So people tend to use short, simple passwords, and they tend to reuse them on multiple sites. This, too, creates substantial safety concerns for your business.
Here’s an example of how password reuse can create security risks. Companies get breached all the time. The big ones make the news (like Yahoo! in 2013 and again in 2016). Your employee may have heard about the Yahoo! Breach (or any of thousands of others) and not thought much of it. She hasn’t used her Yahoo! account in years, anyways. She considers that account information unimportant.
But if she reused the same password from her defunct Yahoo account for her social media (or, worse, bank account), those accounts could easily be compromised, too. Bad actors buy these stolen credentials online and start trying them on other sites, looking for a way into accounts with real power.
To sum up, when employees keep lists of work passwords on sticky notes or in digital files, it puts your company at risk. So does reusing passwords from site to site.
Solution #4: Require Regular Password Changes and Consider a Password Manager
In addition to educating your workforce on the importance of following good password hygiene, there are two significant steps you can take. First, implement network controls that require every employee to change his or her system password once every 30, 60 or 90 days. You can also require that they use a new password each time (prohibiting password recycling) and that the passwords are sufficiently complex.
Another great solution to this problem is to implement a business-grade password manager. Solutions like 1password are effective for both personal and business use. By creating just one master password to remember, individuals are no longer stuck trying to keep track of hundreds of accounts.
Problem #5: Not Verifying Requests for Access
If your business is small and local, pretty much everyone knows everyone. But as your business grows (or if your business involves a lot of virtual hires), you’ll begin to lose this family atmosphere. One growing pain we see among companies making these kinds of transitions is a failure to verify requests for access.
In the olden days, if Valerie from Sales asked for network access, she got it. There wasn’t really any perceived need to ask any questions about it. But today, “Valerie from Sales” lives five states away, and the request for access pops up as an email or chat message. It could be legitimate, or it could be a phishing expedition.
Today’s businesses need to verify that Valerie is really Valerie and that she actually needs the access she’s requesting.
Solution #5: Training and Vigilance About Access Control
The solution here is to ensure that anyone who has access control is well trained in how to validate access requests. It’s a good idea to keep the access control circle as small as is feasible, because everyone with this authority must remain vigilant at all times.
Problem #6: Failing to Lock Computers When Stepping Away
Failing to lock computers when stepping away is an especially important problem for those working with sensitive data (think business finances, customer data, protected medical data and so forth). When an employee steps away from an unlocked workstation, anyone with physical access to the workspace can gain access to whatever the employee has access to. Not only can bad actors steal information this way, but they could also take inappropriate actions that will get blamed on the user who’s logged on.
Solution #6: Training and Timers
The first part of the solution is training. Your people need to know that walking away from a workstation without locking it is a serious problem. It’s severe enough that you might consider setting some sort of penalty for doing so.
The second half of the solution is to set all business computers to lock when a certain amount of time passes without interaction. Doing so will limit the window of opportunity for bad actors, but it doesn’t eliminate it completely. That’s why training and enforcement is the first step.