Every week, it seems, we hear about another attempted hacking or cyber security threat. No one appears to be immune. All you have to do is read a newspaper or an online story of the breach of customer financial information when a supermarket or "big box" gets breached and sensitive information gets compromised to know how real the threat is.
Cyber attacks and cyber crime pose the biggest threat to businesses, hands down. Hackers have become more sophisticated and more difficult to detect than even a few years ago. Hacking is a big business; an illegal one, to be sure, but a big one. Consider these alarming statistics:
In 2018 hackers stole half a billion personal records, according to one research organization. This was a 126% increase from the previous year. In the last five years, there were 3.8 million records stolen from breaches every day.
Some of this information ends up on the "dark web," where no one ever wants to be. It's difficult to trace addresses that originate there, and it's a haven for information that has been hacked or breached. We've all heard the stories about hackers encrypting data and demanding bitcoin payments. In short, it's not a place anyone wants to be.
All of this activity keeps Information Technology providers very busy. And even though our industry strives to stay ahead of the hackers, most businesses can save themselves a lot of headaches by instituting some common sense office protocols, and some training.
Consider this hypothetical scenario. An administrative assistant receives what she believes to be a legitimate email from her boss, who is away from the office for a week working remotely. The email directs her to forward him several dozen employee W2s from the company. The email looks real, and sounds real, so she complies. Regrettably, it was a phishing scheme: someone who knew her boss was away, and knew how to write an email that would sound credible.
Or, a harried administrator receives a request from the boss asking to have $100,000 wired into another account on behalf of "a client."
These can be costly mistakes for companies when it's discovered that these requests did not come from a legitimate source but instead from an unscrupulous hacker. So, acknowledging that "hindsight is 20-20," how could these situations potentially have been avoided?
Simply, the administrative assistant should have called or confirmed with "the boss" to make certain the request was legitimate. That simple step would have averted a catastrophe with far-reaching legal implications.
Remember that the vast majority of problems start with human error. Proper protocol and training can be a more effective firewall than the best protection devices, because, protection against unwanted intrusions starts with the end user.
Here are a few suggestions for what a business should, and shouldn't do:
1. When in doubt, verify! If you receive a request that seems questionable, call or email and verify that it is legitimate. When it comes to protecting sensitive information, there are no "stupid questions."
2. Avoid any suspicious links. If you are not expecting a package from FedEx, do not open an email that appears to offer tracking information.
3. Look at the address on incoming emails. If you don't recognize it, verify it first.
4. Change your passwords frequently.
5. Do not allow your company website or social media platforms to be accessible on remote or portable devices that your employees use. If someone opens a malicious email and your company information is on their device, your chances of getting hacked just jumped significantly.
6. Have, and enforce, a strict policy about what your employees can access on company computers and networks. Web surfing leads to the potential of hacking.
7. Conduct regular training of employees with trusted IT professionals who can warn of latest threats, and who can establish protocols to protect your infrastructure.
8. And, for owners or trusted team members who may operate at remote locations from time to time, such as coffee shops with Wi-Fi connections, use public Wi-Fi at your own peril. Your information is potentially exposed to the public. It's better to use the "hot spot" option from your smartphone so that you are operating on your own network, not a public one.
An educated workplace is a (more) secure workplace. Work with a reputable IT partner who can help you through the basics of how to improve the security in your workplace. It will be time well spent.