Any and every business that’s using any kind of digital hardware or software needs to be aware of the risks they can bring to the business. Viruses, spyware, and other malware. Hacking attempts, whether through the website or directly onto the systems. Phishing scams. There are plenty of threats out there, but if you want to be truly secure, you have to realise that the biggest security risk of all could, in fact, be your team. Here, we’re going to look at how to best deal with that risk.
Do they know the real risks?
A lot of people think of digital security as a simple matter of course. It’s natural the business will want to protect its network and devices, but it’s not truly something worth focusing on. If that belief is prevalent in your team, you need to disabuse them of that notion. Tell them the real impact that data loss and theft could have in the business. Use examples, showing that, for instance, the majority of businesses that suffer a data breach close within two years of that breach. Not only could their jobs be at stake, but their personal data, as well. Because their security at home can impact your business, let them know that their carelessness in the business could risk their home-life, too.
A warning isn’t enough
When you’re making changes to the business and your security system to address a new threat, you might want to roll out the changes through an email so that the team’s workday isn’t interrupted. This isn’t the safest way to address any threat, however. To make sure that they know the risks, are able to effectively use the changes, and simply to keep security on the forefront of their mind, you need to train them. Hold your own training course or hire experts in the field to hold one. Make sure employees are able to carry out the appropriate action, whether it’s using a password manager, a new email vetting system, or whatever else before they get back to work.
Passwords must be taken seriously
Modern life demands a lot of passwords. Email accounts, bank accounts, subscription services, video games, and so on. Your employees might have plenty of password-locked accounts at home, so they may have gotten into the habit of using one or two passwords for just about everything. Make sure they know the importance of having and protecting different passwords for different accounts, and to keep any business-related accounts separated from their personal accounts. A password manager can help your team keep track of different passwords if forgetfulness is a problem. Password strength is just as important. To stop bots from simply guessing the right passwords, make sure your systems demand a mix of lower-case, upper-case, numbers, and symbols.
Don’t recognise the link? Don’t click it
Poor email discipline is a serious issue in the workplace. If your team isn’t too tech-savvy on the whole, then they might not be able to recognize a phishing link from a legitimate one or a malware attachment from any other attachment sent in the workplace. Anti-malware software can help protect your devices from risky downloads, but it’s better to tackle the habit, as recent studies have found most office workers too trusting and opening phishing scam emails. Create a policy of how exactly files and links are shared in the workplace, making them easily recognisable and ensure that employees know not to click any links or attachments that don’t follow the set format. If they’re uncertain of whether or not a link is legitimate, they should report it.
Scrutinize every device
BYOD, also known as Bring Your Own Device, is becoming more common in modern, flexible workplaces. It allows employees to bring their own tablets and laptops to the workplace or to access them remotely from home. If you allow BYOD, you have to be aware of the risks. Unless you enforce strict security measures of devices, such as installing the same security software you have on their network, they can be an easy backdoor. If employees access your Cloud or intranet servers through their own device and it’s not protected, it gives malware and hackers an easy in. If you’re not willing or able to cover the costs of protecting every new device an employee wants to use, scrap the BYOD policy.
Know how to deal with ransomware
As of late, ransomware has become one of the more popular and nefarious tools of digital criminals. It’s a kind of malware that locks up the computer, refusing to allow the user to do anything until they follow a specific demand. Often, ransomware tells them to download an “antivirus” which is almost always more malware, but lately, it has been demanding payments in cash, too. When faced with ransomware, your team should know that it’s a real breach and crisis that demands fast action. The only right approach is shutting off and disconnecting the affected device, calling the authorities, and getting in touch with a ransomware specialist team that can decrypt the malware and rescue and your data.
Knowing current threats is key
Ransomware is just one example of the latest tools in the arsenal of those who may try to attack your business. The nature of digital threats is ever-changing, so you have to keep your approach constantly updated. Some of the latest malware is attached to phishing scams that are becoming a lot more convincing, using secure links (with the https protocol) and legitimate-looking links like Google Drive links, to better fool more people. There are more traps that even reasonably savvy people might fall into. For that reason, having a security consultant who is constantly up-to-date with the latest threats could be crucial to your business’s survival, as is constantly talking about safety to your team.
Break the taboo
Digital threats are very serious. It’s why we should talk about them more often in business. But it’s also why some employees won’t talk about them. If someone has accidentally installed some malware or followed a phishing link, they may be more inclined to simply not tell anyone about it because they’re afraid of the consequences. They might run the antivirus and get rid of a threat or close the phishing link and think that they’re safe. But the truth is that they could have created a weakness in your system and not being informed will put you in much more danger. You have to highlight the importance of reporting a mistake and be forgiving when a mistake is reported. You might have to retrain the individual that made the mistake, but if you punish or reprimand them too hard, it only creates an environment where people are more afraid to admit those mistakes in future.
Test your employees
A great way to make sure that the lessons are sinking in and also that employees are willing to report mistakes is to test them. There are phishing simulators, fake ransomware, and other tests you can use to act as a “live drill”. They have zero risks and recreate the events perfectly. This allows you to address who and where your current threats are so you know where you need to double-down or change your current education and training attempts.
Encourage them better
Just as you don’t want to discourage them from reporting mistakes, you want to encourage employees to be more vigilant in spotting potential risks and odd behaviour on the devices or networks. Creating a reward program can incentivise information security practices very effectively. You can reward those who spot and report phishing scam emails, signs of a data breach, seek out additional training, and more. What the rewards are will depend on you, of course. You may gamify the system by measuring good security practices and give a bonus to whoever has “the highest score”. You may get little treats and verbal acknowledgement to those who do it each week. Different teams react to different incentives, so you have to find the one that works.
Are they intentionally putting you at risk?
It’s not the most pleasant thing to think about but sometimes the threat is really from within. Beyond negligence, malice is a real force in the world. Some employees might not be as legitimate as they state. They may have a history or corporate espionage or hacking and may be more inclined to try and steal from the business rather than to help protect it. Running thorough background checks are essential for any business that is serious about digital security. It’s not very common, but missing one bad egg could be enough to leave your business vulnerable to the most dangerous kinds of attacks.
For any other security measures to work, you have to make sure that the team is aware, onboard, and diligent when it comes to digital threats. The nature of these threats might change, but so long as your approach is consistent and evolving, you can protect your business.