For mid-market businesses, the risk that proprietary information could slip into the wrong hands is greater than ever. Between malicious code and increasingly sophisticated hackers, we’ve reported that mid-market companies are encouraging more staff than ever to bring their own devices (BYOD) to work. Gartner anticipates that by 2018, half of employers will require staff to supply their own smartphone or tablet on the job.
According to cyber-security expert Kevin Beaver of Preparis, a business continuity solution provider, even a moment of forgetfulness such as leaving a USB drive behind after a client meeting, could result in a major security breach that could cost a company thousands of dollars, not to mention a blow to its reputation.
Trust No One, Not Even a Colleague
Beaver, the author of Hacking for Dummies, spoke to Mid-MarketPulse about best practices to protect against potential threats. His initial advice is simple: employees should trust their instincts –that starts with any dealings with a company IT person.
“Employees shouldn’t give IT staff any personal information,” states Beaver, including any passwords, Social Security numbers, and credit card information. “There’s no reason for IT staff to know or have access to that information without a specific business need – and there’s hardly ever a specific business need,” he says.
Simple, Strategic Security
Beaver says that in addition to identity theft and fraud on a personal level, common workstation mistakes can threaten the entire company.
- Using weak passwords
- Leaving unencrypted laptops in vulnerable places
- Not applying software updates
- Not backing up data
“Every single one of these issues can be traced back to the lack of proper security technologies and/or policy enforcement on the part of IT and management,” says Beaver.
Beaver believes that to ensure staff are making good decisions, companies need to set up the proper security controls that run automatically without employees or management having to get involved. But first, the entire staff needs to be educated.
“The majority of organizations I see have security policies and many of them require their employees to sign off on them,” Beaver explains, “However, the answer is not more of the same old training. Companies need to take a unique approach to make security more appealing to users.”
Security training is right next to safety training in staff minds, necessary but not terribly exciting. Beaver suggests HR and IT staff spruce it up by putting security policies in terms employees can understand, getting employees more involved in the process, and teaching them how to be more aware of their surroundings. “I believe knowledge and experience in the area of ‘situational awareness’ is much more valuable than any knowledge gained by reading boring old IT security policies,” Beaver points out.
Unfortunately, Beaver notes that one of the biggest challenges to security is “bystander apathy.” That happens when people are afraid to make decisions for themselves because they assume that someone else is already assigned to take care of it. “Information security is not IT’s responsibility,” he contends, “it’s everyone’s responsibility, including management who often prefer to not get engaged.”
“If employees don’t understand what’s expected of them, they need to ask,” he underscores. “If they are unsure of whether or not they should do something or report something suspicious, they need to ask.”