No matter how careful you are about protecting your business information, there’s always a risk someone will break into your system to steal customers’ payment and password data. Although years of international data breach studies say theft is usually external, some of your staffers’ work practices (and yours) may unintentionally make it easier for outsiders to breach your security. Here are some habits you and your employees should break.
Putting off updates
It’s so, so tempting to dismiss those time-to-update notices from your antivirus program, your operating system, and your applications. You’re busy, it only takes a quick click to clear your screen, and you can get back to work. The problem is that putting the update off can become a habit, and that leads to extra risk.
That’s because whenever an update notice goes out, hackers see it, too, and they start looking for businesses and networks that don’t quickly patch their software. According to the global 2016 Data Breach Investigations Report, most of the attacks against out-of-date software happen within three months of the update announcement.
If your team puts off updates to avoid work slowdowns, schedule updates to happen automatically overnight or at another time when your employees are offline. (Critical updates, of course, should happen as soon as possible.)
BYOD without bringing device security
Do you and your employees use your own mobile devices, tablets, and laptops to work while you’re outside the office? If you have a “bring your own device” policy (BYOD), you also need a BYOD security policy to protect your business information on those devices. Specifically, you need to ensure that you have control over which business data your staff can access on their own devices and have a way to remove that data if they resign, are fired, or lose their device. Just like your business network, employees’ devices should have up-to-date security programs and software to protect their data and yours.
Exposing data to physical theft
In the push to update your digital security, remember that physical security matters, too. If a bad apple finds the smartphone you left on the plane, the tablet sitting in your parked car, or the laptop you leave your desk, they can literally walk away with your data.
Insurer Horizon Blue Cross Blue Shield of New Jersey experienced this in 2013, when thieves stole two employee laptops and compromised data for 840,000 health-insurance clients. CSO Online reported that the machines sat in plain sight, attached to desks with cable locks that the thieves cut, and with no data encryption to protect customer records in case of theft or loss.
Your employees should make sure to store laptops and other devices out of sight and under lock and key. It’s up to you to ensure the devices use the necessary password and encryption tools. (You can generate a secure password here.) While you’re protecting your current hardware, make sure you require employees to wipe data from old machines that are being replaced, too.
Clicking links in phishing emails
The wave of phishing attempts is higher than it’s been in more than a decade. Phishing attacks trick email recipients into clicking on links that install data-stealing malware on networks. It can be hard to distinguish a genuine email from a phishing attempt, especially for employees whose jobs involve opening many emails (customer service, for example). The 2016 DBIR looked at millions of results from organization-sponsored phishing tests and found that about 12% of test messages led an employee to click on an infected link or attachment. Of those, just 3% reported the problem to a manager.
The DBIR recommends strong email filters as the first line of defense, because employees can’t click on malware links they never see. The report also recommends training your workers to be on the lookout for phishing attempts and to let you know when they click on suspected phishing links.
Befriending strangers on social media
There’s another type of phishing your employees should be aware of, especially if they mention your business name on their personal or professional social media accounts. Thieves can create fake profiles, make friend requests, and then monitor posts for information they can use to guess passwords to employees’ personal and business accounts. They can also share links and files that contain malware. If your staffers click on these while using your business network, you’re going to be infected.
SocialNomics recommends that social media users only accept friend requests from people they know. It’s also a good idea to avoid following links or downloading files from strangers on social media.
Leaving paper records accessible
After all this talk about hardware, email and social media, and network security, it may seem odd to wrap things up with paper. However, until the day comes when no employee keeps a work password scrawled on a sticky note and every employee diligently shreds documents before disposal, paper will be a low-tech way for thieves to access your network and sensitive data.
The DBIR recommends that you “rein in the paper” as much as you can. Ban workers from posting passwords where they are visible to customers or passersby/ third-party workers like cleaners and caterers. Make shredding discarded documents a companywide habit.
For more information about small-business success, check out the Startup & Small Business section of the HostGator blog.
Keep your website protected from malware and data thieves with SiteLock from HostGator. Get a certified SiteLock logo and increase your web conversions by 15%! Learn more here.
Casey Kelly-Barton is an Austin-based freelancer who enjoys writing about business development and marketing, e-commerce payments and fraud prevention, and travel.