As a business owner, you have probably heard that your staff are the weakest link when it comes to security. In my opinion this is not true, your staff, if trained well, can be the most effective security you can have.
The key to success is how they are trained.
In this post, I will provide an approach to IT security training that I have used for many businesses, from sole traders to large multi-nationals and much in between, that has shown to be very successful.
The Key to Successful Training
The success of any business training program is to make it interesting to the attendees in a way that what they have learned can be applied to their personal life in some way.
Let’s be realistic – people are more focused on their friends and family than their day jobs.
So, if the training program gives value that can be applied to their personal life, including friends and family, then the training material will be remembered and applied far more successfully in their work environment.
For example, if your business IT security training program provides tips on how they can secure their home baby-cam through changing password defaults, then that will stick far more readily in their minds than telling them they need to change the password on business system default accounts.
The benefit to your business is that focusing on adding value to their personal life will provide a higher level of success that the staff member will apply the knowledge to their work environment.
Hopefully you can see the benefit of this approach instead of providing an IT security training program every 12 months where they must sit through a slide pack of boring statements about complying with the rules or face disciplinary action.
Topics Covered in the Training Program
Just to re-cap, the training program I am presenting is basic IT security training that all your staff and contractors should undertake.
The topics covered address some of the most prevalent and effective attacks such as ransomware, social engineering and other tricks that malicious people use.
Most attacks require the target user, such as your staff member, to perform an action in order to kick-off the attack such as clicking a link or attachment within an email, downloading software or divulging their password.
Of course, there are other types of attacks that don’t require the user to perform an action, but they will be covered in another post (Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses) and is not applicable for the IT security basics training program for your staff.
Here is the list of topics that will be presented:
- Keep software updated
- Think before you click
- Avoid getting tricked
- Use strong and unique passwords
- Don’t plug in unknown media into your computer
- Secure your computer (screen saver)
- Protect sensitive data
- Do not use public Wi-Fi or any public networks
For each topic, I will provide the business context as to why this topic is important to your business and for staff to be made aware of the topic. I will then present a “story” providing context on how the topic is relevant to their personal life and how the recommendations help towards protecting their family and friends if implemented. You can add in your own business statements at the end, if you wish, to provide some context to their obligations at work.
You don’t have to use every topic or all the content – just grab the bits that feel right to you. Also, change the text to suit your own businesses style of language as you may find my approach too informal for your tastes.
How you present the topics is up to you, though I have found that booking a one-hour group meeting just before lunch, and providing a free lunch, has been effective. A free lunch provides an incentive for people to stay and discuss the topics which helps reinforce the information into their memory.
To keep the momentum going after the meeting you could setup a business group in your collaboration software that allows for people to ask IT security related questions, both for business and home.
Other common reinforcement tools are posters covering one of the topics in this series using graphics and text that addresses the topic in a funny manner (I have found almost zero success in threatening you staff with disciplinary action – unless you are in the military or police force!!).
If your business does suffer an attack on the IT systems, be transparent and send out a summary email to all staff stating what happened and how it was fixed. This shows that attacks on IT systems are real.
So, let’s begin by covering the topics.
1. Keep Software Updated
A key requirement for a business is to implement a patch management process to ensure all IT systems are patched frequently to reduce the risk of vulnerabilities being exploited.
This is achieved by having a centralized patch management and deployment process which controls when patches are applied to devices with no action required by the end user.
If your business does not have a centrally controlled patch management and deployment function then you may be relying on each staff member to update their own computer.
This approach is not recommended, but it is common for small business to approach patching in this way. So, it will be important to set in the mind of your staff, the importance of patching at work by first addressing patching home IT systems.
Updating your software applications and operating system is one of the most important tasks you can perform to reduce the chances of your personal IT devices from being hacked.
Hackers break into your IT systems such as home computers, mobile devices, webcams, Internet enabled toys/smart TVs and other home appliances, and online security systems by exploiting vulnerabilities that are within the software running on the device.
Software is never 100% bug-free so the makers of the software constantly release patches that fix bugs in their software.
That is why patching is so important!
It’s the software bugs that can allow hackers to hack your IT devices!
One approach to make sure you are patching frequently is to check each software applications settings for an automatic update feature. If the software application provides this feature then you should enable it so you don’t have to remember to check for updates. All major operating systems such as Windows and Apple operating systems provide an automatic update feature – check that its enabled.
2. Think Before You Click
Clicking on an email attachment or link within an email is probably one of the most effective ways of getting a computer infected with malware such as ransomware.
Depending on the staff members role it can be almost impossible to not have to open email attachments; roles such as HR and finance receive emails with attachments all the time – CV’s for the HR department and spreadsheets for the finance team, for example.
What makes it even worse is that most anti-virus software is useless these days at stopping new malware because the speed at which new variants of malware are created is faster than the anti-virus vendors creating signatures and end-users downloading them to their device’s anti-virus application.
What can help is to first think before you click.
Thinking means applying context to the email before clicking.
Often friends and family will send videos, pictures and other attachments to share with us. Sometimes the person sending the email may not be the person you think it is. These days it’s very easy to send an email that looks like it came from someone else, containing an email attachment with a virus or a link to a webpage that is designed to infect your computer with a virus.
Also, sometimes a person’s email account is hacked and a baddie sends emails to the person’s contact list with a malware attachment or a link to an infected webpage.
So how can you trust the email came from who you think it is?
If you know the person then check if the tone, language and behavior feels right to you. For example, if the person normally writes using a certain style but the email you received is not using that style then you should be suspicious. If they don’t normally send attachments or the time of day the email was sent is strange or the level of grammar and spelling is different then you should be suspicious. Check with the person by ringing or texting them – don’t reply to the email!
If you don’t know the person then you should never trust the email until you are 100% sure that its safe, especially never open an attachment or click on a link within the email!
Don’t rely on your anti-virus application that it will stop all malware as it will not. Most anti-virus software cannot keep up with the amount of malware being created these days.
- If the email came from a person you know such as a friend or family member – your gut-feel should direct you as to whether you should trust the email and its contents. If you feel that the email just doesn’t feel like it came from the person you know then contact the person by phone or txt – never reply to the email.
- If you receive an email from someone you don’t know asking you to open the attachment or click on a link – don’t. If the email is of interest to you then do some research on the sender of the email via social media or a simple Google search.
- If the email feels wrong to you then trust your gut instinct.
3. Avoid Getting Tricked
Social engineering is a massive source of IT security breaches. One of the most well-known phone scams is the Microsoft support scam, which involves criminals ringing people and convincing the target that they are from Microsoft and that there is an issue with the targets computer. The criminal then instructs the target to download software that ultimately allows the criminal to have full access to the targets computer often with a goal to locate personal information and account credentials such as online banking account details.
Social engineering also extends to the business environment and can involve cons such as the Microsoft support scam, but also other social engineering tricks such as convincing the finance department to deposit large sums of money into the criminals account for payment or services that do not exist.
Another attack involving social engineering is hacking into a business’s email accounts and intercepting valid payment requests via email and replacing payment bank account details with their own, resulting in valid payments going into the criminal’s bank accounts.
How your staff can help protect the business against social engineering is that they should be able to detect when they are being targeted. This can involve taking a more cautious approach to people contacting them with instructions to change processes without going through correct channels. For example, a finance team member receiving an email from the CEO instructing them to pay a service provider an urgent payment using different bank account details. If this request is not going through the correct process then this will could be criminal activity.
Baddies know that most people are trusting of others, so they will use this to try and trick you into giving up valuable information or perform an action that can harm you and your family.
Baddies will often send an email or ring trying to convince you to share information that could harm you in some way. Types of tricks include:
- Impersonating a well-known business such as Microsoft claiming that your computer needs fixing and asking you to download software that is malicious, resulting in the baddie being able to access your computer to search for bank account details or other sensitive personal information.
- Family members that you know are overseas, contacting you via email with an urgent request for money, the email content’s tone or language does not feel like them.
Some of the tricks used can be very convincing so it’s important to take a deep breath and look at the current situation in your own time.
For example, if you receive a call from a stranger stating they are from a well-known company and that they are trying to get you divulge personal information or make changes to your computer, place them on hold and ask yourself if the company would really be doing this, even better if you have company then ask them their opinion to the caller’s intent.
- You should be very suspicious of anyone contacting you unexpectedly asking for any personal information or asking you to perform an action such as downloading software.
- Banks will never ask for your password, or for that matter – no business should ask you for your password – this includes the business which employs you.
- Software vendors would not contact you randomly and ask you to download and install software.
- Businesses should never ask for personal information unless you have initiated the conversion for reasons such as customer support.
4. Use Strong and Unique Passwords
Password management is one of the most important aspects of IT security for any business.
I would imagine that thousands of posts have been written about the need for strong passwords and the need for each account to use a unique password, so I will not repeat the recommendations here.
However, for your staff member, strong passwords and using a unique password for every account is a massive annoyance, especially when you consider how many accounts we all have requiring a password!
If you would like more ideas on password management then read my post: Realistic Password Management Tips
Why is it important to have a strong password for your accounts and never reuse a password?
The simple answer is that a weak password can be very easy to guess and baddies know that most people will reuse their password on many accounts to avoid the issue of trying to remember all their passwords.
But what you probably don’t know is that if you reuse your password many times ultimately a baddie will get hold of the password and then through researching social media and other resources use that password on your other accounts.
Not all websites are built the same, some websites don’t care too much about security and may store your password in clear text or use weak encryption so that it’s easy to get the password. If a baddie hacks a website that you use and weak security is used to store your password then there is a very good chance that your password is now known to the baddies.
But it gets worse.
Not only will they have your password but they will have some other personal details that was stored with the password such as your email address, name, date-of-birth etc…
All this information can be used to locate more information about you such as your social media accounts and other website accounts.
They will also attempt to use that password on the email account you used. So, if you used the same password as the website that was hacked the baddie will now have access to your email account and all your contacts!
Therefore, it’s very important to use a strong password and never reuse a password.
A weak password is something that can be guessed or is less than 7 characters long. Examples of weak passwords are: “password123“, “qwerty“, “letmein“, family members birth dates, family pets names etc.. It is extremely easy to guess weak passwords using specialized software that is freely accessible on the Internet.
A strong password normally comprises of a combination of lower and uppercase letters, numbers and special characters such as %, #, (, * and is at least 8 characters long.
If creating a strong and unique password sounds daunting then there any many free online password generators such as https://strongpasswordgenerator.com/
5. Don’t Plug-in Unknown Media Into Your Computer
Removable media such as USB memory sticks are often infected with malware and left in areas around the target business such as: the carpark, reception and other areas that staff members are known to frequent such as cafes.
If the infected device is plugged into a business computer there is a good chance that the infection will succeed, resulting in a “back-door” into your business IT systems.
This is not uncommon nor is it considered a sophisticated attack. There are devices that anyone can buy and use designed solely for this type of attack.
Your staff should be aware of the risk of inserting any removable device into their own computers as well as your business computers.
It’s important to note that they or a family member could infect their home computer and end up infecting your business computer as well via sharing files from the home computer with the business computer, even if they use different USB sticks. There are variants of malware that will silently infect any portable device plugged into an infected computer thus spreading the malware.
If you find a USB stick or other portable devices such as a portable hard-drive it’s important that you do not plugin it into your computer. Malware can infect portable devices such as USB sticks, so plugging it into your computer can result in your own computer being infected. Then, if you plug another device into your computer this device could be infected as well, ready to infect other systems.
The best action to take when finding a portable device is to hand it into the nearest authority so they can deal with it or leave it where it is.
6. Secure your computer (screen saver)
An unattended computer that has not being locked is a major security risk to a business especially if the computer in question is accessible to the public or visitors, for example computers at reception.
It can only take a matter of minutes for a malicious person to infect the computer by loading a web browser on the computer and visiting an infected web page.
Always have a screen saver activate after a certain number of minutes of inactivity, for example 15 minutes within a non-public environment or a maximum of 5 minutes for a computer within the public area.
Not activating the screen saver on your devices such as mobile phone, iPad or computer is dangerous especially if you accidentally leave the device in a public area.
It’s bad enough that you will probably never see the lost device again, but its far worse if the person who grabbed your unattended device has full access to your device’s apps because there was no screen saver activated requiring a password to unlock it.
Always set the screen saver to lock the device after a certain period of inactivity – its recommended that a maximum of 5 minutes of inactivity should activate the screen saver requiring a password to unlock it.
7. Protect sensitive data
Passwords, business bank account details, staff HR records, payroll data and other sensitive information must be securely stored at all times.
Often, I have seen passwords to software and important accounts shared between people via post-it notes or even a spreadsheet named “passwords.xls” stored within a shared drive with not even a basic file password protecting the contents of the file!
When a business is breached by a malicious person one of the first tasks they will perform is searching the network drives for password files.
Using a standard password lock on a file is not enough as the password protecting the file can be identified using simple brute forcing tools that will ultimately guess the password, normally in a matter of hours.
The use of a centralized password vault that is designed to protect sensitive information, not just passwords but also documents, is a must for any business. There are many benefits to using a password vault such as:
- Sensitive information is normally encrypted with very strong encryption ciphers so if the vault is stolen the encryption is almost impossible to crack.
- Access rights can be applied to each piece of sensitive information so only the people who need access to that information can access it.
- There are no synchronization issues with storing multiple copies of sensitive information in different files and/or locations. The password vault application will provide centralized management.
- Most password vault applications provide auditing features so every person who accesses a piece of sensitive information is recorded.
It’s very important to protect your family’s sensitive information such as online bank accounts details, financial information such as investment portfolio details, social security numbers and other information that can be used to not only steal your money but to also steal your identity which will be used for fraud.
Before we had computers, this information was stored under lock-and-key such as a home safe or a safe deposit box at a bank, however, most of us now store sensitive information on our computer.
The problem is that the computer was not designed to be a safe.
If your computer is stolen or accessed by hackers, and you have not taken steps to protect the sensitive data, then there is a very high chance that the criminal will have full access to that information on the stolen device.
How can you protect sensitive data stored on your computer?
Sensitive information can be protected by using a “virtual safe” such as a password manager application.
Password managers are applications which can store important information such as passwords, bank account details, social security numbers, or files securely.
Password management software can be installed on your computer but, the downside to this approach is that anytime you or someone else needs to access the information stored in the password management vault they need access to the computer.
For families, this can be annoying.
An alternative approach is to use one of the password management systems offered online. The key benefit to the online password management systems is that more than one person can access the vault at any time and on any device.
Some online offerings provide cool features such as a password generator and automatically filling in the password text box for online accounts. This means you can have strong and unique passwords that you don’t have to type into the password text box to log into an account, the system will automatically paste the password into the password text box!
Another cool feature is that most online password management systems allow for multi-factor authentication. This means you need your username and password and in most cases your mobile phone as well to receive a special one-time code. So, if your password gets discovered the person will still need access to your mobile phone in order to successfully log into your password vault.
8. Do not use public Wi-Fi or any public networks
Using public Wi-Fi hotspots including hotspots provided by hotels, cafes and other businesses should be treated as highly insecure. The amount of attack scenarios, free tools to set up rouge Wi-Fi access points and hack Wi-Fi transmissions and general poor security of Wi-Fi networks is considerable. Click here to see a product that anyone can buy, especially designed for creating rouge Wi-Fi access points.
If you or your staff need to use public Wi-Fi networks then, at the very minimum, a VPN should be used to protect the data flowing between your device and the access point.
If you can, try to avoid using public Wi-Fi hot-spots such as the ones offered by libraries, cafes and airports and other businesses.
Wi-Fi can be very easy to hack which means baddies can see some of your network traffic from your device or even control which websites you visit!
Some websites that you visit may not be using HTTPS or other encryption methods to protect the data flowing between your device and the mobile app or website. That means that the unprotected traffic could include your account passwords or other sensitive information!
If you need to use public or free Wi-Fi use VPN software so all your data is protected regardless of which websites you visit.
Take These Steps And Protect Your Business From A Cybercrime
You might have read the news story surrounding the events that happened at Mal A Largo. The prestigious club favoured by the president was recently breached by a woman who claimed she was a member. She wasn’t. When she was inside, she suggested she was there for a conference.
There was no conference taking place and the woman entered the club with multiple pieces of tech. One of which contained malware data. The president was in the club at the time and it is not currently known what the woman’s intentions were. It is however clear, that she almost succeeded.
This shouldn’t come as a massive shock. After all, recent reports have suggested that by 2021 there will be a cyber attack on a business every twenty seconds. That’s crazy and it won’t just be big businesses that are exposed either.
Indeed, experts suggest that smaller companies will be targeted because criminals won’t expect them to have the latest protection measures in place.
This leaves an important question: Is your business secure and prepared for the threat of a cyber attack?
Truthfully, the answer is probably no. But you can take steps and make changes to ensure that your business is protected.
Let’s look at some of the ways you can do this, plus here’s a quick recap on what you need to know about cyber crime and malware.
What is Malware?
You don’t need to know the history of malware but it’s kind of interesting so here’s a short summary. Its beginnings are thought to be in 1949, with computer scientist John von Neumann, however the first documented viruses were in the 1970s.
Not all viruses are bad, though malware is and it’s thought that a third of all computers world-wide have been infected at some time.
There have been some very hard hitting computer viruses over the years including:
- 2013 – Cyptolocker. This is one of the early ramsonware programs. Ramsonware in itself is interesting insofar as it denies the user access to their computer with threats to publish the users’ data unless a ransom is paid.
- 2014 – Backoff. Known for hitting the Point of Sale (POS) machines to steal credit card data.
- 2016 – Cerber. One of the most infective viruses according to Microsoft.
- 2017 – WannaCry Ransomware. Appropriately named as many companies attacked by it did ‘want to cry’.
What is Cybercrime?
Simply put, cybercrime is the term given to describe any criminal activity online, i.e. uses the Internet. It’s far-reaching, insofar as it includes everything from ramsonware and other viruses, to hacking, phishing and spamming.
So, what can you do to make sure your business is protected?
Installed And Up To Date
It’s important to make sure that you are installing anti-virus software. Once it is installed, make sure that you are updating it regularly. Many people think that once you have installed anti-virus software on your tech, your issues are over. This just isn’t the case. Indeed, it’s instead possible and even likely that you fall behind on updates and suddenly there’s basically no protection for your business.
This is usually because people are relying on free antivirus software. Free software is better than nothing, but it’s definitely not the ideal solution. If you want the highest level of protection, then you need to invest in the best software on the market. This isn’t free but it does provide fantastic value for your company.
Choose Strong Passwords
Passwords are incredibly dangerous if they are easy to guess or if they include information that people could quickly access. As such, there should be no personal information used to create your passwords. It should be a random string of numbers and letters. These are almost impossible to guess or hack and as such will keep your sensitive data secure.
The Latest Tech
Do make sure that you are investing in the latest technology and equipment. The latest tech will usually have preventive measures in place to ensure that software is protected. Particularly if they are running the latest programs and systems.
You should be careful of methods for saving money as well such as BYOD initiatives. While this can cut costs down, you can’t guarantee that the devices that employees are as secure as they need to be. Investing in the latest technology yourself will always be the best option.
We hope this helps you understand how to secure your business from a potential cybercrime.
How Compliant is your Small Business?
Operating a small business doesn’t mean you can be complacent with how you’re protecting customer data and the prevention of the real threat of credit card theft.
Hacking gangs are alive and well hence the tightening of data protection rules in the western world including the European Union’s GDPR.
So there’s two major compliances to work on immediately if you’ve not done so already. Doing the basics to ensure your business is in compliance with data protection laws including the GDPR even if you’re not in Europe is a must-do and here’s how you can get started if you’ve not done it already.
Every website collecting email addresses and more, need to comply with the requirements for protecting customer data. There’s more that’s needed too see (Website policies) further on in this article.
There is also a pressing concern for all businesses, eCommerce and particularly those in the retail sector to commit to PCI compliance. You might be wondering what it is and is your operation too small to be bothered with it right now.
A really good explanation of what PCI DSS is and why any business transactions using credit cards needs to comply can be found in this article on BusinessBlogs.
Smaller businesses can do a self assessment and why you might sigh with relief, don’t get too comfortable, you’ll still need to know exactly how to do a PCI self assessment and how to get set up so when your business grows it’s got everything in place for external assessments.
PCI and Networks
The real difficulty lies in understanding how sensitive data moves along your network which is a must for assessment. The wireless LANs and other connectivity points like USBs and bluetooth can be penetrated hence they need to be monitored and secure. This is where a PCI compliant specialist comes into their own not only for your self assessment but also when using external PCI auditors for your compliance.
Earlier on we mentioned protection of customer data and laws like GDPR.
Any business with a website that collects customer data can not avoid the basics website features that allow for transparency of how customer data is collected, utilised and shared with privacy and cookies policies.
This really is the norm now and it’s the entry level for all websites so all website developers will implement it, so it’s just the older sites and the Do-it-yourself crowd who need to be aware of the requirements.
Website visitor expectation is they’ll see the pop up that asks for acceptance of re. your website cookies policy and they’ll take the necessary action. Without it, your business is not perceived as being secure and visitors may take no further action i.e. they’ll exit your site.
All websites should also be using the SSL (HTTPS), and be mobile ready. Plus have all the bells and whistles in place to manage customer data collection and management for protection of customer data.
Ignorance is not bliss and it will be hurting your business if your website is not on top of it’s compliance requirements. Get curious, find out what you need to know and when you need to take action to keep the hackers out and the visitors in.
Why Shopping Cart Abandonment?
Shopping cart abandonment is not decreasing. Buyers add stuff to their shopping cart, however exit without finishing the purchase. The term ‘buyer’s remorse‘ needs to coined another way to describe why online shoppers abandon their shopping carts.
Relinquishment is an electronic business term used to portray a condition wherein a visitor on a page leaves that page before completing the pined for movement. Occurrences of betraying, are the place shopping cart abandonment happens the most! The reasons change from site to site and they’re explained well in the infographic created by Fullestop. We’ve added it to this post for you.
Web business destinations attempt to decrease their cart abandonment rate; however it’s a losing battle with a high level of customers still slipping past. Honestly, shopping case surrender rates if all else fails are actually rising. Business Insider reports that $4.6 trillion worth of stock was left in spurned trucks in 2016, up from $4.2 trillion out of 2013.
Reasons behind Shopping Cart Abandonment
For the retail part, these were the most widely recognized explanations behind the surrender:
• 34% were ‘quite recently looking’ i.e. not prepared to purchase.
• 23% had an issue with transportation.
• 18% needed to look at costs.
• 15% chose to purchase in-store.
• 6% relinquished because of an absence of instalment alternatives.
• 4% encountered a specialized issue.
Distinctive edifications have been offered trying to state why buyers leave shopping bushels. Most, by far, of the reasons, take after the ones in this present reality shopping process. The basic enlightenments behind shopping wicker container betraying have been seen as:
Perplexity with astound costs: in the far-fetched event that it’s not clear how to influence a purchase and you to leave your prospects with no other individual, expecting that “they’ll appreciate it”, you’re in for an epic dissatisfaction. Correspondingly, if they are out of the blue given some extra costs that they didn’t expect, you were showing the portal yourself.
Alert or secure site: An alert about the website can without much effort change over into fear. The starting point for a business is website security and assuring customers the website is safe and secure and this includes their shopping cart and when it comes to credit card data, what information is requested from purchasers.
Most electronic business purchasers are careful about revealing their own particular information, especially with respect to MasterCard inspirations driving interest. Purchasers are already nervous and it’s not long before they end up plainly suspicious especially if an overabundance of information is requested from them.
- Management3 years ago
20 Of The Worst Business Decisions Ever Made
- Finance3 years ago
What are the Advantages And Disadvantages of Business Loans?
- Startups1 year ago
Essential Guide To Start A Detergent Powder Making Business
- Social Media1 year ago
In-Depth Guide to Social Media for Small Businesses
- Marketing2 years ago
Creating Brand Identity for Small Business [Infographic]
- Marketing3 years ago
What You Can Learn From Amazon’s Marketing Strategy
- Mindset1 year ago
Negotiation Tips – How To Get What You Want
- Finance2 years ago
Why Entrepreneurs Often Fail