How to Train Employees to Keep Data Safe
If you think your company is too small to become a target of cyber attackers, consider this. Large-scale cyber attacks skyrocketed this year, with documented hacks up 273% according to CNBC. And 28% of attacks involved small businesses.
Your staff members are your first line of defense. If you don’t instruct them on how to keep your data safe, then your company could very well be exposed to serious financial and reputational risks.
You hold more data than you realize
Here are some high-value pieces of information that may live on your servers and devices:
- Company financial records
- Proprietary data
- Personally identifiable information (PII) about employees, such as Social Security Numbers, addresses, full names, birthdates
- Customer or client information, including credit card or other payment information and PII
- Healthcare records
- Insurance account numbers and claims
Any one of these data types is attractive to hackers. They can use PII and credit card information to make fraudulent charges and open new accounts in customers’ and employees’ names. They can also sell that information online to the highest bidder for thousands of dollars, which can be very expensive for you.
Even getting hold of company files or proprietary software can be a goldmine. When hackers took over one Kentucky small business’s systems, the company paid them $150,000 in bitcoin to regain control.
Some common security mistakes employees make
Easy-to-hack passwords. For both their work accounts and to access their computers, passwords should follow the National Institute of Standards and Technology and FBI guidelines for complexity. If they leave their computers unlocked when they go down the hall to meet with colleagues or step out for lunch, they leave their workspaces vulnerable to malicious actors.
Quickly replying to all emails. Email phishing schemes pose a significant threat if employees are not trained to look for suspicious cues. A hacker might send an email to a well-meaning employee using a spoofed email address, meaning that it looks like it’s from a legitimate sender. The employee then responds to the message with account information or other details that the hacker can use to access the organization’s data. Hackers can also include deceptive links or downloads that actually contain malware that can be used to attack the company.
Leaving a paper trail. There are analog ways of exposing the company to risk, too. If any of your team members prefer to jot down notes by hand or keep their passwords and account information written down at their work station, someone passing by can easily steal it.
Working from home without security. When employees are in the office and working on the company’s Wi-Fi, you know they’re working on a secure connection (if you’ve put the proper safety protocols in place). When people are working on home connections, however, chances are their routers are not secured at the enterprise level.
Employee training + your security software = protection
Don’t assume your employees innately know the safety rules. Cybersecurity training is a must for all employees, not just those who work directly with customer data or payment systems. Together with your security software, good training goes a long way toward keeping your company’s, and your customers’, information safe from hackers.
Implement these and other critical guidelines that you may determine in consultation with your advisors, including your legal counsel:
- Never send payment details or account information through email or text message
- Never download suspicious-looking files or packages from unknown senders
- Verify that links are secure and associated with a legitimate site before clicking or forwarding them
- Use complex, difficult-to-guess passwords, and store them in a digital password manager rather than keeping them on paper or in an app on smartphones
- Don’t give out account information or account access over the phone without requiring callers to provide verification details
- Store hard copies of company documents inside desks, preferably in locked drawers, so they are not easily stolen
Make these best practices part of your onboarding training for new hires. Refresh your team on these expectations periodically, especially when staff are working remotely.
Hold training sessions on how to maintain safe connections while people are working from home. On company teleconferences, give guidance on setting up a firewall on their home internet connections. Some companies provide secure laptops and work devices to maintain security even in the work-at-home environment. But if you can’t do that, make sure you’re communicating with your team about what company security standards should be.
Beyond these basics, keep aware of the latest security threats, and let your employees know about them. Schedule regular briefings to inform employees about the latest types of cyber scams and attacks. Hackers evolve their tactics, and you need to let your staff know what to look out for and what they’re up against.
Set up proactive security protocols
Employee training is one part of a broader cyber defense strategy. You also need to implement operating system and software security patches as they become available, in addition to setting up a firewall to protect your private network, according to the Federal Communications Commission (FCC).
The FCC also advises having a mobile device plan, including requiring employees to password-protect their smartphones if they use them for work, in addition to installing security apps and encrypting their devices.
Whether you have 200 employees or 20 or 2, you need make your employees smart about data security. Don’t let a data breach possibly bankrupt you and/or destroy your reputation and customer trust. Training your employees and setting up and maintaining secure systems goes a long way toward avoiding a potentially dire outcome.