No matter what kind of business you run and how transparent it is, there’s some data you don’t want anyone to have access to it such as customers’ credit card numbers, business bank account numbers, passwords and employee Social Security numbers. That type of information deserves a high level of protection, and many small-business owners turn to methods such as IT support, encryption and employee cybersecurity training to alleviate the risk of bad actors getting their hands on sensitive data. Here’s a look at a few key things your employees should be aware when it comes to cybersecurity training.
Passwords are required for practically everything, and that, paradoxically, can make things less safe. That’s because many people duplicate their passwords across both personal and business accounts. Someone who gains access to your employee’s personal email password might be able to get into all of that employee’s business accounts.
Employee cybersecurity guidelines on passwords should include the following:
- Unique password
- Be at least eight characters long
- Have symbols, uppercase letters, lowercase letters and numbers
- Doesn’t include the business name and any business/employee data such as a partial telephone number or co-worker name
- Tricks to remember even the most complicated-looking passwords
In addition, many companies require that their employees change their passwords every 90 days or at some other set interval.
How to spot a phishing email
Phishers could be targeting everyone in your business, including corporate management (it’s also called “whaling” when C-level leadership is targeted). Critical things to cover in phishing and whaling training include looking for logos and text that seem slightly off, approaching requests for money, passwords and data with suspicion and checking that email addresses are an exact match. For instance, an email that ends in “.co” when it should be “.com” could be a scam. In addition, employees should hover over links in an email to see where the link goes rather than clicking blindly on it.
Physical security of BYOD
About 85 percent of businesses let employees use their own devices for work. When training employees on your BYOD policy, remember to emphasize the physical security of these devices. Even one lost, mislaid or stolen phone, tablet or computer could wreak havoc.
To combat these issues, set up apps so that most, if not all, information is stored on your company’s servers and not on the devices themselves. You can also use device management programs to track, lock and wipe devices. If you do, be completely transparent with employees about it because their personal data on their device could be erased as well.
Public Wi-Fi risks
Another BYOD risk comes into play with public Wi-Fi. These networks are convenient and free but can be extremely dangerous. If employees connect to a public Wi-Fi network, even on their own time, everything on the device becomes vulnerable.
In your cybersecurity training, emphasize that employees should avoid using public Wi-Fi whenever possible and how they can protect information if they do. For example, they should use VPNs or enable the “Always use HTTPS” option. To protect against being accidentally connected to a Wi-Fi network, they should turn set up their device to be prompted when connecting to an unknown Wi-Fi network.
In addition, be sure to stress the importance of updating frequently. For example, employees should undertake manual app or computer updates at least once a week, and have their devices set to perform automatic updates. Installing updates in time could be the difference between your business being the victim of an attack and preventing the issue altogether. Of course, not all updates work out well but they are the exception, not necessarily the rule.
Employee cybersecurity training is a must as well as a company culture that values security. Technology and the approaches of hackers change all the time, so make sure you continue to regularly schedule ongoing training for all your employees.