Cybercrime is at an all-time high. Hackers are setting their sights on small-to-medium businesses who are “low hanging fruit” ripe for attack. Don’t you wish you had a robot like in Lost in Space who would announce “Danger, Will Robinson, Danger!” whenever someone at work was about to open that phishing email, or click on that infected website or take some other unintentional but potentially dangerous action on their computer or your network? The #1 security threat to any business is…you!
Don’t be their next victim! Resolve to educate and train your team on IT security and raise their awareness of the dangers lurking on your network which, like Dr. Smith, can be on the inside. It’s critical that you educate all of your employees on how to spot an infected email or online scam. Cybercriminals are extremely clever and can dupe even sophisticated computer users. All it takes is one slip-up, so constantly reminding and educating your employees is critical.
Part of the awareness training is having an Acceptable Use Policy (AUP). An AUP outlines how users are permitted to use company-owned PCs, devices, software, Internet and email. For example, the policy should limit what the employees can access with work devices and Internet service. Having this type of policy is particularly important if employees are using personal devices and computers to access company email and data. If an employee is logging into critical company systems through an infected or unprotected or unmonitored device, it can be a gateway for a hacker to enter your network.
If the data in your organization is highly sensitive, such as patient records, credit card information, financial information and the like, you may not be legally permitted to allow employees to access it on devices that are not secured. Sometimes the risk is a well-meaning employee innocently “taking work home” and exposing your company information via their own device.
It’s impossible to close off every exposure, so train your employees on your AUP and enforce it as much as possible through technology solutions. Your AUP should include policies requiring strong passwords and passcodes to lock mobile devices.
Your AUP should also document your access policy, specifically: what devices (company-owned vs. personal) and who can and cannot access your company information. New vulnerabilities are frequently found in common software programs, such as Adobe, Flash or QuickTime, making it critical that devices used to access company data are fully patched and up to date. At work, if you have a managed IT plan, this can all be automated so you don’t have to worry about missing an important update. It’s not so easy if you’re relying on your team to do the same at home on their personal devices.
As a result, we recommend you consider not allowing employees to access company data with personal devices that aren’t monitored and secured by your IT department. If you decide to allow non-company-owned equipment to access your system, you need to ensure their network and devices are patched and up-to-date. Here’s the rub: Most employees won’t want you monitoring and policing their personal devices, nor will they like that you’ll wipe their device of all files if it’s lost or stolen. But that’s exactly what you’ll need to do to protect your company. Our suggestion is that you only allow employees to access work-related files, cloud applications and email via company-owned and monitored devices, and never allow employees to access these items on personal devices or public Wi-Fi.
IT Radix wants to help raise security awareness in your organization. While we have always alerted our clients about high-priority threats as needed, we’ve added biweekly email security tech tips to share one simple concept and a quick tip to keep security on the forefront. If you are not currently receiving these email security tips but would like to, please email us at [email protected] to be added to the email series.
First published in our January 2016 IT Radix Resource newsletter
[code-snippet name=”hiding-blog-image”]