At its core, cyber security is a people issue. Viruses don’t magically appear in your company’s system. They get there because of things employees do (or don’t do), frequently without realizing it.
Most people know the basic rules of cybersecurity: don’t open suspicious attachments, don’t click on suspicious links, don’t give your bank account to anyone claiming to be a Nigerian prince, etc. But there are other ways people expose their businesses to risk, many of which are routine, seemingly harmless actions.
Risk 1: Traveling Devices
Computer viruses spread kind of like human viruses. A cold virus spreads when a sick person comes into contact with a healthy person. When a computer virus gets into a network, it spreads into devices that connect to that network. If an infected device connects to other networks, the virus spreads again. This is why traveling devices such as laptops and USB thumb drives can be security risks.
Laptops and thumb drives are routinely used outside your company’s secure network. Sales reps take their laptops on sales trips and customer visits. Managers save files on thumb drives, so they can continue working at home. And while most businesses have decent firewalls, the average home network has expired anti-virus software, weak passwords, and kids who download things they shouldn’t. In short, home networks are pretty vulnerable to malware. If a laptop or thumb drive picks up a virus and then goes back to the office, that virus can spread into the company network.
Risk 2: Mobile Apps
Mobile apps can legitimately improve productivity at work. With so many free options to choose from, people are building personal libraries of apps to track expenses, streamline their inboxes, and manage their passwords – all from their phones. While these apps are highly convenient, they can also make company information more vulnerable.
Using outside apps for company business is like handing your wallet to a stranger. You have no control over how your information is used, stored, or protected. If anything happens to the app’s publisher, your information is up for grabs. For example, in June 2017, the password management app OneLogin was hacked, giving the criminals access to thousands of people’s user IDs and logins. When employees give third-parties access to their company email, financial data, and passwords, that information is less secure.
Risk 3: Outdated Software
New software isn’t always a huge priority for businesses. “I know the program is 10 years old,” the thinking goes, “but it still works. Why should we pay for something new?” The current generation of software programs aren’t just faster and better, they’re also more secure. Older software is often full of well-known security holes, which makes businesses running these programs attractive targets for hackers. For example, the WannaCry virus exploited a weakness in Microsoft Windows 7, an old operating system from 2009. Computers with the most current version of Windows were not vulnerable to the virus.
To be fair, newer software also has security flaws. New products, however, are routinely updated with security patches to repair the holes. Here’s the catch: in order for the security patches to work, end users have to install them. And end users, it turns out, aren’t great about installing updates. The Equifax hack was traced to a known security flaw in a common web program. Even though Equifax was alerted to the issue, they waited months before taking action, giving hackers plenty of time to work. Had the company been more proactive, they may have been able to prevent the entire fiasco.
TWO WAYS TO IMPROVE SECURITY
Viruses, hackers, and software patches are all technology issues. But taking a laptop home, using outside apps, and ignoring security updates are all people issues. If you really want to improve cybersecurity, you need to address human behavior. (And, because humans aren’t perfect, you need a contingency plan.)
Create a Cybersecurity Policy
A cybersecurity policy is more than telling employees they can’t look at Facebook. It’s a proactive plan for how the business will protect its network and respond to security breaches. Some things the policy might include are:
- security programs the business will use
- processes for updating and maintaining those programs
- roles and ownership of these processes
- policies regarding user access and permissions
- policies for sharing information with third-parties (e.g. payment processors)
- employee training programs
- communication plans for security issues
The policy should also include an employee-specific section that explains how the policy affects them. This might include rules regarding the following:
- use of outside devices and web apps
- managing and updating passwords
- handling sensitive information (e.g. customer credit cards)
- appropriate internet usage
- reporting security incidents
- consequences for violating the policies
While documenting your policy is important, documentation alone won’t lead to change. You need to actively engage with employees around this subject. Have educational sessions about cybersecurity. Explain the different ways hackers may attempt to attack your business, and teach employees to identify suspicious messages. (This is useful knowledge for their personal lives as well!) Describe the changes the company is making to improve security and their role in these changes.
Change Your Infrastructure
Changing employee behavior is important, but there’s no way to make any system 100% human-proof. People will make mistakes. This is why the second course of action is changing your infrastructure. More specifically, stop using an in-house server and move your data to the cloud. Using the cloud won’t stop employees from opening a corrupt file, but it does protect your data in the event a breach happens.
A lot of businesses don’t trust the cloud. They want to have physical control over their technology because it feels safer. But private servers are actually the riskier option (unless you also have a full-time cybersecurity team). Keeping your data on a private server is like keeping your money in a shoebox. It’s physically in your possession, but if a criminal breaks into your home, the shoebox is easy to steal. Using the cloud, on the other hand, is like keeping your money in a bank. You still have access to the money, but if a thief breaks into your home, there’s nothing for him to steal.
So, what’s to keep viruses from getting into the “bank”? In a word, resources. Cybersecurity is expensive, which is why most businesses only have the basics. Data centers, however, invest heavily in sophisticated security tools and anti-virus software. They also provide 24-7 monitoring by cyber-security experts who constantly walk the (virtual) perimeter, checking for weaknesses and suspicious activity. Let’s go back to the shoebox vs. bank analogy. Your only way of protecting that shoebox is to lock your front door. The bank, on the other hand, has locks on the door, cameras in the ceiling, and German Shepherds patrolling the lobby.
Cybersecurity can seem overwhelming, especially if you don’t have a technology background. But when you approach it as a people issue, it’s a feasible project for any business to tackle.
This article originally appeared in Building Products Digest.