As the world watched the details of last year’s Equifax data breach, one of the United States’ biggest hacking scandals in history, unfold, we recently learned that the company’s former CEO, Richard Smith, blamed the entire fiasco on just one IT technician who failed to tell Equifax staffers to install a patch designed to eliminate a vulnerability in the Apache Struts system.
If anything, this situation shows just how tenuous IT security can be, and how important it is for everyone in your organization to actively participate in an IT risk management program. After all, cyber security threats aren’t going away any time soon. In fact, they’re expected to cost companies $6 trillion annually by 2021 which, to put it in perspective, “represents the greatest transfer of economic wealth in history.”
Of course, the vast majority of the losses stemming from a lapse in cyber security will come from large enterprise organizations, but that doesn’t mean small and mid-sized businesses shouldn’t do everything they can to protect their businesses. In fact, because you work on such a personal level with your staff and your customers, you may have even more to lose than anyone – like your livelihood, personal relationships, reputation, etc. Fortunately, there are some things that companies of all sizes can do to improve their security at every level, and face these threats head on:
- Train Your Staff: It’s a simple thing, but as illustrated by the Equifax breach, online security training and instituting best practices across your company can go a long way toward mitigating digital disasters. Look for a class (online or in person) that covers topics like recognizing and handling spoofing emails, keeping your security system up to date, safe online behaviors, etc., and educate every member of your team.
- Choose the Right Email Client: Having access to your emails from anywhere – and on virtually any device – is critical, but sacrificing convenience for security should never be an option. So, look for an email service that has the power to distinguish between spam, phishing, and legitimate messages, and filter them appropriately. And if your email filters allow you to disable hyperlinks and eliminate your team’s ability to reply to harmful messages, even better. If possible, look for programs with email filters that can be set at the personal or group level, this way you can determine what’s best for your company.
- Keep your device policy up to date: Make physical security a priority by creating company policies that outline best practices for keeping devices safe. Create protocols to follow should a device go missing, let your team know who to contact, and make it clear what needs to happen from a technical perspective, should a device go missing. As an added layer of protection, require that all employees enable two-factor authentication on their devices. This way, even if a device is stolen, a contact method will be required before the thief can access what’s behind the sign-in screen.
- Update Your Software: If the Equifax breach taught us anything, it’s that it’s critical for every employee – from the top down – to keep their software up to date. If you use cloud-based software, IT security updates are usually made automatically, but if you own or manage a company that hasn’t yet transitioned into using cloud-based software, you can still automate updates and push them out to your staff. If that’s not an option – or one that you’d simply rather not undertake, you can make each member of your team responsible for installing updates on their own machines. You’ll just need to set up your software to prompt users to install updates when they become available.
Although training your team has already been covered, it cannot be stressed highly enough. Regardless of how many safeguards you have in place, your team has to be trained to use them properly – and refresher materials and reminders about the importance of taking these precautions should be sent to your staff regularly. This way, you can not only help them learn how to recognize cyber security threats, but give them the information they need to avoid taking unnecessary risks.