You pour so much into running your business. You just want to see it thrive. So, you spend the extra hours learning about technology and new ideas and changes to the market and everything else that helps you stay ahead of the competition. It’s a lot, and it’s ok if you feel the need for some help.
Are Employees Unknowingly Putting Your Business’s Data At Risk?
Today’s businesses face digital threats of all sorts. Data breaches make the news just about every week (and those are just the ones we know about). Bad actors are looking for vulnerable websites and databases, hoping to capitalize on small technical mistakes and find a way in. It’s enough to keep a small business leader up at night.
That reality is scary, but this one’s even scarier: for many businesses, the greatest threat to the business’s data and security isn’t external. It’s the employees themselves.
Here at Southeastern Technical, we see quite a few ways that employees unknowingly put their company’s data at risk. Fortunately, many of these methods are easily solvable, and some only require training. Here are six of the ways that your employees could be putting your business’s data at risk, as well as the solutions to each problem.
One of the easiest ways for your employees to put business data at risk is by saving files locally. Most of us are familiar with saving a document to the “Documents” or “My Documents” folder on our home computer. Sometimes, the fastest way to get something done is to drag a file to the desktop. But in a work environment, these are not secure methods for dealing with files.
Why? Because saving files in this way saves them to the local computer, which is rarely (if ever) backed up. The file actually resides on the machine sitting in front of your employee, and that machine is physically vulnerable. All it takes is a component failure, a freak electrical surge, or even a spilled cup of coffee, and all the files stored locally could be gone forever.
Most businesses already have some kind of central location for business files set up. This could be a company drive, a company server or a cloud storage solution. Whatever the format, this location will be backed up regularly. If something happens to the physical piece of equipment where the files are stored, your managed IT provider will be able to retrieve a backup copy of the lost files.
If your business doesn’t have a network or cloud storage infrastructure set up yet, we can help with that, too.
Phishing emails are another big concern for small and medium businesses. They don’t attack your network or your data directly; instead, they attack your employees’ gullibility. And they can be highly effective, because it’s nearly impossible to eliminate human error completely.
An email-based phishing attack will imitate a well-known company, like Microsoft, Apple or Amazon. An unsuspecting employee may receive an alarming email from “Apple” that tells them there’s a problem with their account, and they need to click to resolve it right away. When your employee clicks the link, they are taken to a realistic-looking sign-in page that asks them for their Apple credentials.
Of course, the email isn’t really from Apple. And if your employee signs in, your employee’s credentials are now compromised. They’ve been phished.
Why are these phishing campaigns so successful? A few reasons. First, the people sending these messages have gotten pretty sophisticated. The messages often look pretty convincing, with realistic graphics and messaging. Also, there is often an urgency about these emails, kind of like the spam calls that tell you, “the IRS has an arrest pending against you.” (Spoiler alert: they don’t.) The phishers are smart, and they’re trying to scare your employees into acting without thinking critically.
There are two types of solutions that are needed here. One type will prevent you from becoming a victim of phishing in the first place. These types of solutions include training and strong spam filters. The second category is less a solution and more of putting a defense in place, should a team member fall for a phishing scheme.
Strong spam filters will reduce the number of phishing emails that get through (just check your Gmail spam folder to see evidence of this). Capable virus scanners will mitigate the threat of unwittingly installing a virus via a phishing scheme.
But even the best spam filter can’t prevent all phishing attempt from getting through. Effective training can help employees recognize the ones that do. No amount of technology can completely remove the human element, so make sure the humans that work for you know what to look for. There are free phishing simulations your organization can try out to see just how easy it is to fall for a phishing scheme. A simulation is a great place to start, but a quality managed IT services provider will offer more in-depth phishing training to fully equip your entire workforce.
There aren’t any technologies that can completely prevent all phishing attempts from succeeding, though. So, it’s good to be prepared, should an employee ever fall for one. Encouraging good password practices, such as never reusing passwords, not sharing passwords, and keeping an inventory of all business accounts will help minimize damage to the company. Thankfully, password managers make these tasks super easy. And, as a bonus, they minimize the hassle of remembering passwords, so adoption rate is very high.
While BYOD (bring your own device) is growing in popularity, we don’t recommend it until organizations reach a certain size where they can afford to support it and can have clear IT governance in place. There are plenty of ways that using a personal device for work can create security risks, and most small businesses aren’t equipped to deal with these security holes.
For example, you can’t control what software employees install on their personal computers. You also can’t control the environment in which they use their own devices. You don’t want a personal virus-filled machine accessing your network, nor do you want the possibility of a personal device getting stolen while logged in to your most sensitive resources. Further, a personal machine with an outdated operating system could have security loopholes, giving attackers a way into your network.
When you own the computers, you control the rights management, software installs, and software and OS updates. Don’t allow BYOD until you’re absolutely sure you’re ready for it (and that your managed IT services provider is ready to support you supporting it). Also, be sure your company-owned equipment is staying up to date. This, too, is something your managed IT partner will handle for you.
Poor password practices often put business data and security at risk, and these can show up at all levels of an organization. Think of usernames and passwords like physical locks. Padlocks are a great tool for keeping your stuff safe. They aren’t foolproof: if someone is determined enough and has access to the right tools (say, a blowtorch or a sledgehammer), they can get through the padlock. But it takes effort and intentionality.
However, if you leave the key to your padlock taped to the back of the lock, it loses all value at protecting your stuff. If anyone can access the key, anyone can open the lock. Passwords work the same way. They tend to be pretty effective when used properly. But if your employee keeps a list of important passwords on a sticky note under the keyboard, the passwords are nearly useless.
Anyone who gains physical access to the workspace can steal those credentials easily. Another issue with passwords is that they can be hard to remember. So people tend to use short, simple passwords, and they tend to reuse them on multiple sites. This, too, creates substantial safety concerns for your business.
Here’s an example of how password reuse can create security risks. Companies get breached all the time. The big ones make the news (like Yahoo! in 2013 and again in 2016). Your employee may have heard about the Yahoo! Breach (or any of thousands of others) and not thought much of it. She hasn’t used her Yahoo! account in years, anyways. She considers that account information unimportant.
But if she reused the same password from her defunct Yahoo account for her social media (or, worse, bank account), those accounts could easily be compromised, too. Bad actors buy these stolen credentials online and start trying them on other sites, looking for a way into accounts with real power.
To sum up, when employees keep lists of work passwords on sticky notes or in digital files, it puts your company at risk. So does reusing passwords from site to site.
In addition to educating your workforce on the importance of following good password hygiene, there are two significant steps you can take. First, implement network controls that require every employee to change his or her system password once every 30, 60 or 90 days. You can also require that they use a new password each time (prohibiting password recycling) and that the passwords are sufficiently complex.
Another great solution to this problem is to implement a business-grade password manager. Solutions like 1password are effective for both personal and business use. By creating just one master password to remember, individuals are no longer stuck trying to keep track of hundreds of accounts.
If your business is small and local, pretty much everyone knows everyone. But as your business grows (or if your business involves a lot of virtual hires), you’ll begin to lose this family atmosphere. One growing pain we see among companies making these kinds of transitions is a failure to verify requests for access.
In the olden days, if Valerie from Sales asked for network access, she got it. There wasn’t really any perceived need to ask any questions about it. But today, “Valerie from Sales” lives five states away, and the request for access pops up as an email or chat message. It could be legitimate, or it could be a phishing expedition.
Today’s businesses need to verify that Valerie is really Valerie and that she actually needs the access she’s requesting.
The solution here is to ensure that anyone who has access control is well trained in how to validate access requests. It’s a good idea to keep the access control circle as small as is feasible, because everyone with this authority must remain vigilant at all times.
Failing to lock computers when stepping away is an especially important problem for those working with sensitive data (think business finances, customer data, protected medical data and so forth). When an employee steps away from an unlocked workstation, anyone with physical access to the workspace can gain access to whatever the employee has access to. Not only can bad actors steal information this way, but they could also take inappropriate actions that will get blamed on the user who’s logged on.
The first part of the solution is training. Your people need to know that walking away from a workstation without locking it is a serious problem. It’s severe enough that you might consider setting some sort of penalty for doing so.
The second half of the solution is to set all business computers to lock when a certain amount of time passes without interaction. Doing so will limit the window of opportunity for bad actors, but it doesn’t eliminate it completely. That’s why training and enforcement is the first step.
If your business is unhappy with the status quo you’re getting from your current managed IT partner, perhaps it’s time for a change. Southeastern Technical is your regional managed IT solutions partner. We’re here for you and ready to help you implement the strategies discussed above. Ready to learn more? Reach out today to talk with a member of our experienced team.
About Southeastern Technical
We help leaders discover how they can have stable, reliable information technology (IT), so their organizations can experience fewer IT problems and security threats.
Most of the time, an employee who leaves for a new position in another company is nothing to worry about. But, sabotage can and does happen, so how can an offboarding procedure help your business reduce risk?
solutions for real-world problems
We’ll send technology tips to help you resolve existing problems, information about underlying problems in your IT environment and how to solve them, and how to reduce digital security risk for your business.