It’s no secret, your employees use their work computers to scour the internet on company time. However annoying that is to business owners, they generally look the other way. As you’ll read, that annoying reality could very well lead to a security breach, so it’s time you educated yourself and your team on the cold, hard facts.
Fact #1: Employees are the #1 cause of all company security breaches.
Your small business amasses a wealth of incredibly sensitive information about everyone who walks through your doors or hits your website. Having that valuable information put in jeopardy can turn into a long and costly process to fix, not to mention potentially embarrassing to you and the business.
We’ll explore the seemingly harmless part of your employees’ daily lives that could put your business and, more importantly, your customers’ information at risk for a breach. We’ll also provide tips to protect yourself so your business isn’t added to the ever-growing list of organizations that have had their security breached in 2017.
We’ve all heard the saying, “work smarter, not harder.”
Owning your own business is tough. There are countless hours spent towards hundreds of different tasks across every part of the business. If data security isn’t near the top of your priority list it should be, because the dangers are real and your employees’ mistakes can be very costly.
Fact #2: Identity theft and fraud attacks against small and mid-sized businesses skyrocketed from 18 percent in 2013 to 31 percent in 2015 and the numbers are on the rise.
Unfortunately, however much interest we put into security and discovery innovations to create an in-depth defense strategy, the reality is one wrong click from an employee innocently surfing the internet can instantly hand over your sensitive information to an identity thief. The small mistake of opening a seemingly harmless email can upload a virus to your hardware and go unnoticed for weeks, if not months, causing irreparable damage.
Fact #3: Only 29 percent of companies with fewer than 10 employees are acting to protect against security risks.
Less than one third!
Are you part of that 71% that don’t?
There’s as much as $1 billion a year stolen from small and mid-sized businesses in North America and Europe and the numbers are only going to increase, says Mike Gross, global risk strategy director with 41st Parameter, a business fraud prevention firm owned by the credit reporting giant Experian.
Here are five must-take steps to make it tougher for offenders to steal your valuable information:
- Use an EIN: As a business owner you may operate as a sole proprietorship under your Social Security number, even if your business has employees. Just because you have the freedom to do so doesn’t mean you should. It’s generally safer for sole proprietors to use an EIN. Keeping your business and personal finances separate is a must for several reasons, including identity theft prevention.
- Protect sensitive files: From bank statements to tax returns, your business likely has paper and electronic files that hold sensitive information. Use a secure mailbox, shred documents you don’t need, and keep sensitive files in a locked area or other secure location to avoid theft.
- Be proactive: It’s crucial to use passwords or restrict employee access to certain documents. Establish a clear protocol to follow in the event of a data breach, including assigning an employee to manage the breach and devise what actions need to be taken.
- Try to avoid the “bring your own laptop” trend: Countless companies now allow employees to use their personal computers, cell phones and other devices for work. This presents risks to a small business where, for example, an employee brings a compromised device into work and accesses secure files. Unfortunately, you’ve just allowed a trusted employee to unknowingly compromise your sensitive information.
- Check statements regularly: This is one of the best ways to halt fraud before it gets out of hand. Experian and other credit reporting agencies offer monitoring services that can help. It’s also a good idea to assess your banking agreements to determine whether your business accounts have protection against fraud. In addition, review your insurance policies to see what coverage you have in case of a data breach.
- Despite the best efforts of many businesses, data security trends are headed in the wrong direction. We looked back at hundreds of events throughout 2016 into 2017 to identify the top causes, in hopes we can try to limit the numbers for 2018.
We pulled data from the IRS and found business identity theft cases rose 250 percent through the summer of 2017. For example, the U.S. recorded 4,000 business identity theft cases in 2016, and through August this year it’s 10,000 cases and climbing. When you put that into numbers, business identity theft caused $15.3 billion in damage in 2016, up from the $13 billion in 2015.
When we took a closer look at the underlying issues that allowed the identity theft incidents to occur, we found one common thread: Attackers are increasingly relying on phishing emails to sidestep IT security systems. It’s an inexpensive, but highly effective attack route to gain access to an otherwise well-secured network. Social media outlets, such as LinkedIn and Facebook, provide a treasure trove of information for attackers to identify and target employees with carefully crafted phishing emails.
Here’s another example: Criminals and IT thieves are constantly producing fake social media pages and disguising themselves as someone who seems like another person in your industry. They reach out to connect and look as reputable as anyone. Remember to take a minute before you accept their request. Always be proactive in screening people, because you never know if they’re a legitimate contact just trying to expand their network or a potential security threat trying to access information about your business and how to infiltrate your company.
So…What should all this mean to you? What should your business do?
Truth be told, there is no one-size-fits-all approach. How you address the human component of data protection requires execution of several technical, managerial, and procedural precautions, unique to your business. Below are some guidelines and tips to keep in mind:
- Data security awareness and training: Dispose of old devices, but first wipe the data. Train your employees and take part in programs with companies who handle sensitive information, like Secure Document Destruction of St. Louis. Your organization’s information security policies and procedures should be part of the onboarding process and included in periodic training. These programs should be continuously updated to address the constantly evolving threat as well as staffing changes that could impact data privacy and security. For more information on these topics please visit the FCC website @ https://www.fcc.gov/general/cybersecurity-small-business
- Simulate phishing tests: Try testing “data breaches” by sending phishing attacks on employees. You are a step ahead by training users on how to identify and avoid phishing messages. It could help your organization measure the vulnerability of your employees and identify the ones that need additional training. There are many resources available, such as NTP Security Enterprises, a premier St. Louis company that specializes in these types of programs. Visit them @ http://ntpcybersecurity.com for more information.
- Fully encrypt your devices and storage: The regularity of stolen devices containing sensitive information will continue to rise as more users store sensitive data on their laptops, mobile devices, and portable storage devices. Always implement complete encryption on all devices that contain sensitive data. Visit the link below for a list of 2016’s top software systems for your business. https://www.pcmag.com/business/directory/encryption
- Use data loss prevention software: Your sensitive data can be breached by mistake or malicious intent. Data loss prevention software is intended to prevent users from sending sensitive data outside your network without authorization.
- Clearly define employee access rights and privileges: Employees should have access to only the data they need to do their job. If you must allow them access to sensitive information, it should only be approved for the minimum time necessary. Never forget to enforce strong standards for user identities and passwords.
When security breaches make headlines, they are often about corrupt groups in other countries. These kinds of stories are exciting to read, but they mask the reality that most breaches are caused by an action or failure by someone inside the company.
To this point, when we’ve mentioned employee mistakes causing security issues, we’ve been referring to honest people making honest mistakes. There is another side: those employees who want to damage you. It’s the threat you’d never expect. They normally will fly below the radar of many detection technologies and can erase evidence of their activities to further deter investigations.
It’s a perfect crime.
Fortunately, the rise of Artificial Intelligence makes spotting insider threats easier and less invasive. These technologies help businesses detect and prevent potential hacks and security threats to their systems. Their cognitive processes are able to continually learn and make reliable decisions based on the data that your business is taking in. However, even with advances in technology, you and your managers need to be aware of what to look for and how to focus security efforts to get the greatest returns on protection:
- We are creatures of habit: Your employees come to work at the same time and do familiar tasks. The same can be said for how they use and interact with technology. Uncover abnormalities in behavior at the level of individual employees, making it much easier to spot when your security has been compromised.
- Security is constantly evolving. Educate yourself on your security risks, and screen at-risk employees.
By covering your basics, you can and will make the biggest impact on theft. Every extra precaution you take, makes you that much less susceptible to theft from a person or an organization stealing your precious information.
Don’t forget the fundamentals:
- Use an EIN
- Protect your sensitive files
- Be proactive.
- Always make sure you’re the first to know.
- Try to avoid the “bring your own laptop” trend
- Check your statements regularly
These basic guidelines can have a significant impact on reducing your vulnerability to a data breach.
So, after reading this, we at Secure Document Destruction of St. Louis (SDDSTL.com) hope when you see the next scandalous headline about some Equifax’ian breach by an external hacker that you remember that these major attacks account for less than half of the breaches out there. As you now know, the thief probably used the identity of an unsuspecting employee to pull it off.
Act now to make sure your organization isn’t the next one in the headlines.
If you have any questions, concerns, or tips, we’d love to hear from you.
And, stay safe out there!
John Steinhauser, co-owner, Secure Document Destruction of St. Louis (SDD).
John has lived and breathed the document security industry for the last decade. John prides himself on SDD’s ability to innovate and consistently stay ahead of the curve. However, his approach toward the business has stayed consistent, delivering incredible customer service and complete document destruction for the St. Louis area.