Your employees. Are they your company’s greatest asset or the greatest threat to your company’s existence?
Both. At least when it comes to cybersecurity.
More than half of business data breaches are the result of emails opened by employees that lead the hackers into the inner workings of your company. But only 35 percent of senior executives think it is a priority to train employees on how data security risks affect the organization.
• Los Angeles Valley College paid $28,000 in ransom to hackers who took control of their files through an innocent-looking email sent to an employee.
• Hollywood Presbyterian Medical Center had its data taken hostage by hackers who received $17,000 in ransom. Investigators believe an employee opened a Microsoft Word document that looked like an invoice, but was actually a virus called Locky, which locks users out and won’t send a decrypting key unless a ransom is paid.
• A Boeing employee who wanted help formatting a Microsoft Excel spreadsheet sent his spouse a document containing names, birthdays, Social Security numbers and code numbers for 36,000 employees.
One more scary thought: Most employees do not even know when they have opened the door for a hacker.
Hackers are evil people, but they also are very smart. They know your employees are the weak link in the security wall and that’s how they approach them. The email subject lines are enticing, reasonable. They look like the daily routine emails everyone receives.
Once opened, the syntax follows the business language of the day (unless the hackers could not afford a good translator – in that case, the English is in Eastern European dialect) and asks the employees to open this attachment for more instructions. Once the employee does, the hackers are in and havoc ensues.
So how do you stop them? Here are some ideas:
• Identify the prime targets. For most companies, this is the human resources or finance departments. That’s where the records are kept and that’s what the hackers want. If you train anyone, start with these departments first.
• Empower your IT department, but coach them to be helpful not arrogant. You’ll get more cooperation that way.
• The simplest things are often overlooked. Do not leave sensitive information on unattended computer screens and lock computers down after a short period. Sure, that’s annoying, but how annoying is a hack?
• Passwords and codes should not be left on desks where any passerby can see them.
• A strong training program is essential and ought to be repeated regularly. But don’t just punish the violators. Reward those who follow the company protocols.
• Offer incentives for employees who report security issues.
• Limit employees’ access to social media sites.
• Use IT professionals to develop your company policies and procedures. Encrypt data. Have a regular time for changing passwords. Keep your firewalls up to date.
• Have a contingency plan. Identify your team that can address problems and have contacts with law enforcement already established. You don’t want to figure out who to call on the Wednesday afternoon before Thanksgiving.
There are a variety of weekly newsletters and training sites (some that even make a game out of training) that can make data security something that is interesting and not even dreadful.
One final thought: Replace all “Just Do It” posters in your office with “Think Before You Click!”
Patricia Bramhall is founder of Tydak Consulting, a Conejo Valley-based IT firm that consults with IT departments.