You lock the doors to your offices at the end of each day, right? A receptionist or someone else with a clear sightline of the entrance monitors people coming and going. And your computers and email accounts have passwords to shield confidential information from prying eyes.
But these measures do nothing to protect you from one of your greatest security risks—your own employees. And it’s not necessarily employees with dishonest intent. In fact, your greatest exposure results from employees who are well-intentioned, honest and trusting.
As mentioned in an earlier blog, one of the ways increasingly sophisticated cyber criminals operate is called social engineering or phishing. The thieves simply troll social media and other popular platforms to initiate discussions with unsuspecting professionals. Criminals don’t have to worry about breaching security measures because they’re simply taking advantage of human tendencies to trust. Following basic questions, a sense of connection is established and soon more details are innocently shared—information that can be used against your company as a competitive advantage, to collect private information, to commit identity fraud and more.
Your defense begins with education.
Most employees don’t even recognize their role in cyber security. But, they’re more than willing to change habits when they understand the risk. In addition to alerting them about phishing, there is additional security training every employee must have. Here are the basics every company should be covering:
- Responsibility for Company Data—be cognizant of your role and the risks that come with this responsibility.
- Document Management and Notification Procedures—understand what needs to remain private and follow the procedures required.
- Passwords—share these tips for a stronger password.
- Unauthorized Software—unapproved software should never be downloaded to company computers.
- Internet Use/Social Media Policy—If you don’t have clear guidelines in place, consider these suggested best practices. Remember, you’re not trying to eliminate all social media use, you simply want to establish clear expectations.
- Email—limit corporate email to clients and suppliers when possible. Ideally, a separate email should be used for personal messages or when signing up for more information, joining groups or other potential spam generators.
- Mobile Devices—Phones today are essentially mini computers. Be sure to have employees:
- Create a PIN or fingerprint scan.
- Encrypt any data on the phone. Customer Service or websites for each phone type can help with this.
- Keep software up-to-date.
- Use mobile data instead of public Wi-Fi.
- Turn off autofill and do not use the option to remember passwords.
- Install anti-virus software. Yes, even phones can get viruses.
- Limit laptop use to work—although convenient, company laptops should not be used at home or left in personal vehicles. The potential for loss or theft is too great. Investigate the use of remote access as an alternative.