“When it comes to employees, your cyber security controls are only as good as your weakest link, with most breaches involving some kind of human error,” explains Telstra’s Cyber Security Product Executive Matthew O’Brien. Often, it’s an innocent slip by an individual – like opening a phishing link in an email or using an unsecured Wi-Fi network when working on the go – that can lead to a serious cyber threat.
Here, we look at how you can evaluate your cyber security risk profile and some of the real-life scenarios and examples of where staff (owners to employees, contractors and suppliers) can erode your business’s cyber security.
Check your cyber security risk profile
Evaluating the gaps in your cyber security can help you make a plan to improve it. Start by breaking down the following things that could potentially compromise your business’s security:
- Who’s doing the work: humans who provide the first line of defence through their actions.
- How they’re working: tools and programs used to create, share and store information.
- Where they’re working: environments and networks where the work happens.
If you’re not sure how your business fares in these areas, try our free Cyber Security Quiz. You’ll receive a personalised report (as well as recommendations to help you strengthen your defences) and it’ll only take a few minutes.
Opening phishing links in emails
One of the most common types of online attacks for small businesses starts by a person clicking on a malicious email link. To help prevent this from happening, educate your team to know what to look out for when it comes to phishing links, so they can steer away – and also advise the business that they received a potential threat.
Letting security software updates slip
It’s easy (and common) to keep hitting the “later” button when a new software update pops up. But it’s important to know that updates are released specifically to combat bugs and to maintain defences against online threats. Encourage your team to allow system updates to automatically install. Or consider making automatic updates part of your device policy for anyone in your business.
Using unsecured Wi-Fi networks
The free Wi-Fi at your local café or at the airport is not a secure connection. Hackers and cyber criminals can easily intercept data by tapping into these networks. You might think your business is too small to be a target, or that a criminal wouldn’t target you as an individual, but there plenty of reports of these kinds of online crimes every day in Australia. One way to mitigate this risk is to secure your sensitive business information with a virtual private network (VPN).
Giving out information on the phone and social media
The way your team shares information can be compromised if they aren’t using secure sharing software. This is especially true if they are working remotely or on the go. Things like reading a credit card number aloud on the phone in a public area or sharing an employee’s details or passwords via private message on social media can pose risks. Hackers can use personal information your team have shared on their personal social media profiles in a number of ways, including posing as someone trustworthy in order to get them to give away information or click on a link. To help mitigate these dangers, implement policies and education on how your team can share information securely.
Use of employee-owned devices (including while working from home)
If your team are using their own devices for business activities without adequate cyber protection, it could leave your business exposed. With more devices in your business network, the urgency to keep up with your business protection increases. Securing personal devices in the age of remote work must extend from desktop to mobile and other connected devices to keep your business secure.
Not using multi-factor authentication
Multi-factor authentication is when a user is only granted access to an application or system after successfully presenting two or more pieces of evidence (like a phone number and a password) to authenticate their identity. Without it, passwords can be guessed by hackers and systems can be more easily accessed by criminals. Staff should be advised not to use the same passwords for work and personal use, and to change them at regular intervals. Consider getting multi-factor authentication software for your business, or speaking to an expert to help you set this up.
To stay vigilant, keep up to date with the latest tech news and government recommendations around cyber security. Create policies and implement processes that educate your employees on the relevant risks and instil habits that will mitigate cyber risks in the first place.