Cybercrime is one of the biggest threats facing companies today, from the smallest mom-and-pops to the largest multinationals. Many organizations are investing vast amounts of time, resources and money into cybersecurity solutions such as networking monitoring and intrusion detection. But this may not be enough. No organization can afford to overlook the risks that can arise from human error — or, in some cases, deliberate user behavior.
There are many ways that your people can endanger your IT network, possibly leading to costly data breaches and business disruptions.
What happens when a smartphone, tablet or notebook gets left or stolen behind in a coffee shop, on a park bench or in an airplane? If there’s company information on the device, your company might be compromised — especially if the device is unlocked. This is increasingly possible today, as many organizations have adopted bring-your-own-device, or BYOD, policies that allow people to buy and use a personal device for work purposes.
Organizations should encrypt data on all devices that contain company data. This need not be expensive, as BitLocker is built into the Windows operating system and FileVault is built into MacOS. Organizations should also require six-digit passwords and fingerprint recognition for all mobile devices. With encryption and strong protection, devices that go missing or are stolen are harder to crack into. You may also want to investigate solutions that allow the IT department to completely wipe a computer or device remotely.
Open Wi-Fi Networks
You expect your people to work on the road. That often means that they’ll rely on open, unsecured Wi-Fi networks in airports, coffee shops, restaurants and other locations. Open Wi-Fi networks can be dangerous, as it’s possible for virtual eavesdroppers to capture activity and information.
The best defense against open Wi-Fi networks is virtual private network (VPN) services. VPNs act as a tunnel between the user’s computer or mobile device and your organization’s internal IT network. Outsiders will probably be able to see that the tunnel is there, but can’t peer inside. As an added benefit, VPN will allow your employees to access internal networks that they wouldn’t be able to otherwise.
If your employees are locking their accounts with “password” or “12345678,” consider your organization highly vulnerable to hacking. The online service How Secure Is my Password? says both passwords would be cracked instantly.
Your employees should know how to generate strong passwords that combine uppercase characters, lowercase characters, numbers and punctuation. In addition, employees should be made to change their passwords on a periodic basis. Check out our password infographic for password tips.
And, of course, passwords shouldn’t be sitting around for anyone to find. Make sure employees aren’t writing their passwords on Post-Its and putting them where others can see them.
Could your employees be sharing confidential information without thinking about it? That’s possible in a phishing attack, where attackers send emails pretending to be someone else. Phishing emails appear to be from a trusted friend or organization and contain a link to a fake login page. Once the username and password are entered on this fake page, malicious parties can access the account.
Check out our 4 Tips to Keep Yourself Safe in an Age of Cyberattacks for more information about phishing — how it works and how to protect yourself. You might also want to share this phishing quiz with employees: Think You Can Outsmart Internet Scammers?
Employees could expose your IT network to hackers simply by opening a malicious email attachment. Only .txt attachments are safe to open. Most innocuous attachments can do severe damage to your organization’s IT system. Even Word files, Excel spreadsheets and PDFs can contain harmful code.
Staff Selling Secrets
All the possibilities described above detail accidental ways your employees can expose your network to risk. But what about employees that are willingly giving up company data or secrets? A 2017 article from PC World describes three threats:
- Collecting information for insider trading
- Having employees buy items using stolen credit card numbers
- Getting employees to install software to steal information
Defending against these threats will require attentive monitoring of computer networks.
The Solution: Training and Vigilance
StaySafeOnline.org, the website of the National Cyber Security Alliance, says comprehensive training is the best way to inform employees about cybersecurity issues and help them make good decisions. They provide a handful of tips:
- Tell employees what software they can and can’t install on their work notebooks
- Inform them about best practices for passwords
- Educate them on how to identify suspicious links and attachments in emails
- Make them back up work frequently
- Tell them to alert IT immediately if something appears strange