When you think of cyber security breaches, you likely think of hackers assaulting your servers or viruses taking down your firewall from the inside. What many people don’t realize is that hackers typically don’t throw themselves against your firewall and other defenses in a frontal assault. Instead, they look for backdoors and other ways past your security. Many of these doors are left open by employees who don’t fully understand cyber security or don’t take it as seriously as they should.
That’s why it’s very important to fully educate your employees in cyber security. Without understanding why it’s so important and how their actions or inactions can put your data at risk, many will continue to leave your system vulnerable to attack. Let’s take a look at the basics of employee cyber security and how you can teach your team to protect your data.
What is Cyber Security?
When asked, “what is cyber security?” many people will say virus scanners or a firewall. However, cyber security also includes things such as being able to recognize a phishing email, knowing when texts are coming from a spoofed number, and following good computer security habits. It starts at the individual level, which is why you need to train all employees in cyber security. This includes the lowest level of employees up to your C-suite. Even your IT department needs to go through this training. While you may assume they’re experts in protecting your servers, that’s not always the case. Even if they are, a refresher never hurts.
Start with Passwords
Cyber security training is going to cover a lot, so you need to decide where to start. Since most people understand the point of passwords and what they do, that’s a good place to begin. You’ll want to teach employees what constitutes a strong password. Most people pick passwords that are easy to remember, but these passwords aren’t always hard to hack. Instead, experts recommend that employees use a passphrase. This phrase can be a few words that could have numbers and special characters mixed in. Employees should avoid using common words or anything obviously related to them that others could guess.
Another password mistake many people make is that they use the same password for everything. This means if one account is compromised, it puts all of their accounts in jeopardy. If an employee uses the same password for work and personal accounts, they present even more of a risk. Employees should use a unique password for their work account, and they should have different passwords for each work account they have.
The second thing you need to teach your employees is that they need to change passwords often. Some may be resistant to this idea because it means memorizing a new password or passphrase. However, rotating passwords regularly is necessary to fully protect your systems. Some hackers are very careful and will use compromised accounts in ways that don’t always trigger automated detection algorithms because they’re not being overly suspicious. If you require everyone to change passwords regularly, it will help ensure that even if an account has been compromised, it can be re-secured.
Implement Two-Factor Authentication
Two-Factor Authentication, often abbreviated as 2FA, is another form of cyber security. It involves signing in with a password and then entering a special code you receive via email, text message, or through a 2FA dongle device. This helps secure the account because you must set up the email, text, or dongle when you create the account. You can’t simply enter a phone number for the system to text.
While 2FA does add an extra step to logging in, it greatly improves account security. Employees may push back on this extra step, but it does mean that even if their password is compromised, the account is still safe. Since most employees have phones capable of receiving text messages, using a two-factor authentication method that sends a text code is a good option. You can also invest in dongles for all employees. These small devices can clip on a keychain or attach to a lanyard. The employee presses the button on the dongle to see a code that they enter to log in.
Email Spoofing and Phishing is Still a Threat
While it’s one of the oldest tricks in the book, phishing emails are still around, and many people continue to fall for them. Email phishing involves sending an email that looks convincing and asking the recipient to either click on links or reply with specific information. Early phishing scams were fairly easy to recognize. The email would look unprofessional, and the return email address would obviously not be from the company the email claimed it was from.
Today, however, email spoofing has made it more difficult to spot some phishing scams. Spoofing allows a hacker to send an email that looks like it came from a trusted source. Often, the hacker doesn’t even have access to the email account they spoofed. The message asks you to click on a link, which is where the hacker is able to insert malware into your computer or ask you for specific information.
In addition to teaching your employees how to identify phishing and spoofing, you need to have a process in place for them to report these attempts. You should also do periodic testing by sending out your own spoofing or phishing emails to employees. Those who fail to identify them or report them correctly may need to attend an extra internet security training session.
Make Sure Employees Know how to Secure their Own Devices
Just about everyone has a smartphone today, and they all bring these devices into the office. They may also have tablets or use their own laptops. Others may work remotely on their own devices. All of these devices need to be properly secured, especially if employees have company data or access company servers with them. They need to understand how to use a VPN to add security when using public Wi-Fi, have antivirus and firewall programs installed and running, and make certain they update their software often.
Employee devices present major security threats because you don’t control them. If your device is missing important security and quality fixes, it’s possible hackers could exploit loopholes and gain access to your server. Employees need to be certain they’re following all appropriate security processes, especially when using their own devices. If even one remote worker fails to follow device security best practices, your entire system could be vulnerable.
Keep up with the Industry
Cyber security is one industry that is changing almost daily. Hackers are always creating new malware or finding new loopholes to exploit. It’s not enough to put strong security in place—you have to constantly re-evaluate those defenses and upgrade them as necessary. This is why it’s very important for someone in your business, whether it’s the director of IT or a C-level like a CTO, to closely follow cyber security news. This will help you keep up with the latest changes to best practices and risks to your business so you can adjust your employee training tools and processes.
Consider Working with a Managed IT Services Provider
Cyber security is a major undertaking for a small business, especially one that can’t afford to hire an expert to dedicate to keeping up with security practices and monitoring your system. That’s why many companies turn to a managed IT services provider. These providers can take over all of your basic security as well as handle system upgrades, remote and on-site support, preventative planning, and more.
There are a number of benefits to working with an IT services provider. You can still hire your own internal IT staff, but those team members can focus on special projects rather than the day-to-day tasks that can take up a lot of an IT employee’s time. You also don’t have to reinvent the wheel. Many IT service providers already have cyber security training materials and other tools you can provide your employees. Another benefit is cost. You know exactly what you will spend on your IT services every month. Often, this is much less than what you would pay for an employee due to all of the different costs associated with hiring someone, such as salary, benefits, equipment, and workspace.
Let Wooden Spoon IT be Your go-to IT Services Provider
If you’re in the Santa Rosa area and are in need of a managed IT services partner, Wooden Spoon IT is here for you. Our team has years of experience in the IT world, including cyber security. We continually follow industry changes and trends to bring our clients the latest in security. Our proactive approach aims to stop as many potential attacks as possible, while our assistance with disaster recovery planning ensures that you have a response ready should an attack succeed. We provide remote and on-site support, preventative hardware and software maintenance, and optimize your IT operations and infrastructure to make your business more productive overall.
If you would like to know more about what Wooden Spoon can do for you, contact us today.