In the first half of 2018, approximately 668 data breaches were reported by companies in various industries. Many companies are adopting cloud-based systems without properly training their employees in basic practices regarding information security. As a result, many companies are currently spending thousands of dollars on damage control efforts as they seek to retain or rebuild their credibility after a data breach. Since you probably don’t want to make headlines for that reason, we’ve decided to offer an in-depth guide on how to keep your business secure.
1. Looking At the bigger picture
Before we get into the specific steps that you can take to reduce your chances of a data breach, it’s helpful to remind ourselves of the high-level view of information security. First, it’s important to understand that your business regularly collects and handles data or information about your business operations and customers on a regular basis. This information is gold for hackers and data thieves who would love to sell that information on the black market and make a small fortune. Hackers frequently use a variety of sources to gather information about a target (or targets) so, even if you don’t think your company’s data would be especially helpful to a hacker, you should implement appropriate data security measures anyway. After all, you have no idea what other information a hacker may use in conjunction with your data to compromise an individual (or individuals). Obviously, it’s better to reduce the chance that your company is tied to a lawsuit or breach, than to suffer the loss of credibility and revenue.
2. Phishing & Social Engineering
Social engineering and phishing attacks are becoming quite common due to their high rate of success. For those who are unfamiliar with these terms, social engineering refers to the criminal manipulation of a person to trick them into divulging sensitive information. Phishing, a type of social engineering, is the practice of tricking people to give out personal information like bank account numbers or account passwords. Scams are successful because, while computers can be programmed and updated to deal with the latest threats, we humans are forgetful or naive and prone to errors, especially when we’re in a rush or “not feeling it”. As an employer, it’s important to train your employees in the best practices for spotting scams.
Use these questions to help spot a social hacker
Are they professional?
Whether email, call, or letter, scam artists are usually not very professional when they are trying to trick you out of your information. The goal of any scam is to get you to get you to act before you have a chance to think about the situation. While scam artist will often pressure you with threats of imprisonment, account lockouts, or the arrival of Armageddon, remember to consider the quality of their behavior and communication.
Why do they need the requested information?
Scams are designed to persuade you to give up your information without hesitation but a moment of thought can save you. If possible, ask them why they need the requested information. If the “IT department” is asking for your password, be very suspicious. A legitimate IT department has admin tools and accounts that they use to maintain and troubleshoot your company system – including password resets. While a tech support specialist may ask you for your username (only in rare cases, to verify or authenticate you), they should never need your password for anything. Be wary of any request for any login information or personal information. Ask them why they need the information.
How can I find this information online?
Most scam artists try to impersonate a reputable company or agency, to trick you into lowering your guard and volunteering sensitive information. If they say they are calling from XYZ, ask them for a reference number, their name, and their company’s phone number. Many times, these criminals will try to get you to act immediately, but any legitimate company will always send you plenty of notices before taking any drastic action – they need to have a paper trail, after all. If you are getting the heebie-jeebies about a call, ask the caller to hold while you look up their website, access your account, or look up the phone number. If it is a scam, they will try to stop you from doing any research at all. But if you have doubts, it’s better to wait and do research before you act.
3. Let’s talk about your passwords
To protect any account, you need to create a strong, unique password. Typically, people will make one strong password and use it on all of their accounts. Having only one password for all or most of your accounts increases the damage that will be done if anyone ever discovers that password. A more secure option is to use a password manager, cloud-based or local, to store your unique passwords for each account and memorize only the master password. Though it may seem that you are still in the same situation (one password is still protecting all of your accounts), password managers are designed to encrypt the passwords with advanced encryption methods, sometimes to the point where even the password manager’s company is unable to read the data (known as “zero-knowledge”). Opt for a local option if a cloud-based password manager makes you uncomfortable, but definitely use a password manager. It will save you from loads of stress in the future.
Secure Your Passwords With These 3 Tips
Make it a “passphrase”, instead of a password
Instead of making using your favorite word like “cheese or puppy” as your password, try coming up with a phrase and acrostically using it as your password. For example, the phrase, “I have two big dogs and one fish” would become “iH2Bd&1f”. Using a passphrase instead of a password will help you to make a complex but memorable password.
Make it unique
This is an easy tip to follow when you use a password manager. Having unique passwords will ensure that a hacker only gains access to one account per password, rather than five accounts for the price (or work) of one password. Never reuse passwords for more than one account.
Never share your passwords
It’s never a good idea to share your password with anyone. While scams or a friends excuse may be persuasive, it will benefit you in the future to keep your passwords private. Only those closest to you should know your password. Anybody else can either make their own account or get the information through another way.
Add two-factor authentication
After securing all of your accounts with strong and unique passwords, it’s a good idea to enable two-factor authentication on as many accounts as possible. Two-factor authentication adds a second step to the login process, usually by texting or emailing you a one-time passcode to enter and validate your account access attempt. Because you cannot access your account without validating that code, this process makes it harder for your account(s) to be compromised. For highly sensitive accounts, use an authenticator app or security key for the maximum level of security possible.
4. On-boarding & company culture
While not usually covered in discussions about cybersecurity, the onboarding process and company culture directly impact the safety and security of your company’s data. Hire a lazy employee and you’ve automatically put a hole in your company’s “armor”, regardless of your data security processes and equipment. Hire a good employee and they will work in tandem with your company’s security measures and actively help you spot or prevent potential security concerns.
The culture of your company is important as well, since it directly affects the attitude and morale of your employees. If you regard security as an afterthought, pushing for reckless speed at all times, your employees will sink to that standard – providing a golden opportunity for social engineering. On the other hand, if you cultivate a workplace culture of carefulness and mindfulness, your employees will rise to that standard, sealing up the human element of a potential data breach.
Here are Some Tips For Improving Your Company’s Culture and Onboarding Process
Cultivate mindfulness in your employees
One of the best ways to subtly engage your employees in your mission for data security is to encourage them to be aware of their surroundings at all times. Train them to protect themselves and company property by realizing where they are at all times. With the proper security training and a mindful attitude, an employee is well-prepared to prevent and foil many opportunities for a breach.
Conduct “drills” to test the vigilance of your employees
While many security and social engineering training courses will incorporate a practice mode of some kind, the incorporation of regular “scam drills” into your company’s operations will prevent loss of revenue and customer trust by spotting weak points in your company’s security. Annually or monthly, social engineering drills will keep your employees sharp and ready to foil any social engineering scheme that comes their way.