One of the major fears of any IT department is losing control – of projects, of users, of applications. Yet, even with the best technology solutions, there is no way for IT to have complete control over what is arguably the most important thing: security.
There are simply too many threats coming from too many places and in too many forms for IT to protect fully against every single one. IT needs help. To maximize your company’s security, every employee needs to be aware of their role in the fight against cyber threats.
Below are three of the most common security threats that can bypass traditional IT and security solutions, and three ways your company can help regain control.
Social hacking is maybe the most personal cyber attack. It is, simply, when a hacker gets access to your systems and data by manipulating an employee in a personal way. There are a few popular examples. First, a hacker sends an email that seems to be from a high-ranking client employee – think C-level – asking for sensitive data about their account or your company. Since the request comes from a familiar, important person, the employee provides the information, never noticing that the email address was one letter off from the real one.
Another, more insidious version of this attack involves hackers disguising themselves in an employee’s social network connections. They then gather personal information about the person and use it to get close to them. Once the hacker has the employee’s trust, they request – and often get – information that can compromise your company’s security – all without your employee thinking twice about it.
Ransomware is just what it sounds like: your company gets held for ransom by hackers. The idea is that hackers gain access to your data and lock you out, then demand payment to return control to you. Ransomware attackers often get this access through email attachments or Internet downloads that look like legitimate files.
However they gain access, the result is the same; your data is held hostage. The costs of these attacks don’t end with the ransom, either. When you consider downtime, employee time to get the files restored, and even legal fees and compliance fines, the true cost of a ransomware attack is often many times the ransom amount.
Simple human error
Human error is perhaps the most unnerving for IT departments. The problem is so big, and the situations so varied, it’s hard to know where to start. An employee may leave a laptop unguarded at a coffee shop, forget their cell phone on the seat of a train, or even just drop a USB drive out of their pocket. This list continues, but you get the point. If these seemingly innocuous actions lead to the devices getting in the wrong hands, your network and data can easily be compromised.
Now that we’ve seen some of the attacks that keep your IT department up at night, it’s only fair that we look at some ways to mitigate them.
Backup your data
Backing up critical data is something we all mean to do, but probably actually do a lot less frequently than we should. But if you get attacked, a recent system backup is one of the most important things you can have to get back up and running quickly. If you suffer a ransomware attack, you’re much more likely to have to pay up if you haven’t backed up in a month than if you religiously backup on a regular basis.
It’s not enough to just backup, of course. You also have to test to make sure your backups will perform in the case of an emergency. There are managed backup and recovery solutions out there that can help automate this process so it happens in the background, without taking up valuable IT resources.
Dispose of your data
In addition to backing up your data, it’s important to dispose of it when necessary. Old data is a real security threat that is often stored in unsecure ways, or completely forgotten.
Your company should have a consistent, documented protocol for the disposal process. If your whole team conforms to the same procedure of what data to dispose of, when and how, this data becomes much less likely to be compromised. This step is so critical that many companies not only train employees on the process, but have them sign a document confirming that they will follow – and understand completely – the protocols. This isn’t a bad idea when you consider the risk old data can be.
We’ll end with, bar none, the most important non-technical thing you can do to avoid cyber attacks: employee training. Training on data disposal is critical, but that’s just the tip of the iceberg. The more your employees know about the attacks they could face, how to recognize them and what to do if they think they’ve been compromised, the better off you are.
This training can’t just be given when employees come on board. It has to be consistent, and it has to evolve as threats do. This means more frequent, shorter updates. Just running training sessions isn’t enough, of course. Many companies give random tests to see how employees do, a practice I wholeheartedly recommend. For example, one company sent an email saying the employee had received a raise – all they had to do was go to a site and enter some personal information. Two-thirds of the employees entered their information and failed the test. Now, offering a fake raise is maybe not the most employee-friendly way to test, but there are any number of scenarios to use that can check your employees’ knowledge.
The cybersecurity landscape is getting more complex every day. IT does everything it can, but it needs the help of the entire organization to keep you as safe as possible. Recognizing these potential attacks and enacting these three simple strategies can ease IT’s burden, and ultimately keep your company safer.
About the Author
Scott Youngs is the chief information officer of Key Information Systems, a leading regional systems integrator with world-class compute, storage and networking solutions and professional services for the most advanced software-defined data centers. These competencies are tightly complemented by a full suite of data center capabilities, including private and hybrid cloud offerings, connectivity services, colocation facilities and managed services.