When identity thieves trick employees, businesses pay a steep price. Consider the case of the Oregon Department of Human Resources. In January 2019, the personal information of over 645,000 applicants was exposed to hackers. Why? Nine employees were conned into clicking on phishing emails.
The results can be catastrophic. Workers spend months cleaning up the mess. Companies can face penalties, fines, and lawsuits. Customers and business partners lose confidence in your company’s ability to manage data. A company’s brand and reputation take a hit, creating a perfect storm for competitors to take full advantage of your problem.
Don’t become a statistic. Train your employees to be vigilant about the following identity theft schemes.
- Phishing emails. Consider this example: An employee receives an email or text message purporting to come from company management or a trusted vendor. He or she is duped into opening the message and clicking on a malicious link. When the victim lands on a bogus page requesting both new and existing passwords, the attacker hijacks the original password to gain access to the network.
Action items. Beat this problem by training employees to recognize phishing schemes. Look for subtle mistakes such as spelling errors or domain name anomalies. Teach employees to hover their mouse over links to ensure they are legitimate. Above all, staff should routinely ask, “Why am I receiving this email?” A simple verification may be all that’s needed to stop a phishing attempt.
- Ransomware. Ransomware is malicious software that infects a computer, locks it and then demands a ransom. In effect, the system’s critical data is held hostage until fees are paid. Like phishing, ransomware relies on victims to download pernicious software.
Action items. Train employees to confirm that senders are, in fact, trusted contacts. Teach them to avoid clicking on links from questionable sources. They should be particularly skeptical if an attachment asks them to enable macros, which is a common way ransomware is spread. Your best defense to ransomware is active, secure backups of all systems.
- Social media postings. Cyber-crooks use social media to gather enough information to appear legitimate to company employees. After all, if a worker receives an email from a well-known vendor who asks about his recent trip to Florida, the message must be legitimate. Right? Not necessarily.
Action items. Train employees to protect both themselves (and your business) when connecting or sharing on social media. Create a policy that limits social media use during the workday and prohibits access to personal accounts using company computers or networks.
- Internet access. With the increase of telecommuting, data security risks continue to grow. Workers who access company networks from coffee shops, airports, or other unsecured access points may allow identity thieves to exploit vulnerabilities. In addition, with the expense of cellphone data, employees will be tempted to use your company wi-fi for personal use.
Action items. Limit personal access to your company wi-fi. Explore creating separate access for employee use during the day. Develop VPN protocols for remote workers, as this limits access to your network. Require strong password, encryption, time-out locking and theft protocols within written policies. Prohibit access to your network using public wi-fi. Hire or create an accountable person to constantly monitor company security.
Company security is now a complex but critical success factor for all small businesses. Take it seriously by hiring experts and constantly training your employees to be vigilant.