Small Business’s Greatest Cybersecurity Threat is its Employees

Small Business’s Greatest Cybersecurity Threat is its Employees

A business doesn’t need to be sitting on information with world-altering implications, like nuclear launch codes or an unreleased episode of Game of Thrones, to draw the attention of hackers and hostile bots.

Not long ago, we workedwith a local auto body shop here in New Jersey that went the wrong kind of viral online. With a single inattentive click of his mouse, an employee accidentally downloaded a piece of malicious software to the company server, which promptly began to replicate itself within the company’s files. The virus destroyed their data, infiltrated their customer management system (CMS), and even paralyzed their exchange server, preventing them from sending or receiving emails.

As we noted when we shared the story in our free guide, Protect Your Network: What Every Business Owner Must Know About Protecting And Preserving Their Network, this employee’s mistake cost the body shop $20,000 to eradicate the virus and bring their network back online. This is far from an isolated incident; according to security firm BakerHostetler’s most recent Data Security Incident Response Report,

  • 31% of cybersecurity breaches were the result of phishing, hacking or malware
  • 24% were due to employee error (such as improperly disclosing sensitive information via email
  • 8% internal/employee theft
  • 6% lost or improper disposal

Collectively, employee human error (or malice) was responsible for 69% of these issues, and other estimates have ranged as high as over 90%. It’s worth noting that only a very small percentage of these security breaches were intentional on the part of the employee. Employers have an equal, if not greater, responsibility for these breaches because better data security practices should be a basic part of how all staff is trained in 2018.

 Here are some of the most common mistakes, and some tips on minimizing risk exposure.

Skimping on IT Expertise

A business that manages its own cloud network and uses the internet as part of its day-to-day operations has a 40% chance of being compromised by a hacker, and 50% of victims never know they were even attacked.

Even the most basic networks require an IT specialist to set-up and maintain, but small businesses on a budget often can’t afford to add another member of staff. Even teams lucky enough to have a technical whiz already aboard are vulnerable: adding IT responsibility to their existing workload pretty much guarantees security will get less attention than it deserves.

While the breaches that follow might technically be the result of that employee’s “error,” the buck really stops with ownership for not exploring alternative IT solutions.

Bad Passwords

There’s a definite trend throughout this article: when an employee sets a weak password or reuses the same password for work and personal accounts, their mistake presents a cybersecurity threat. But when management doesn’t insist on a clear password policy, that’s also a form of human error.

Many popular websites now require that passwords contain a combination of letters, numbers and symbols. Some even force users to change their passwords every few months to bolster security. Does it make sense to have worse security for a company’s most sensitive data than a 13-year-old’s Facebook account?

Unsafe Downloads

 Without adequate security policies, firewalls and anti-virus programs, any seemingly innocent download has the potential to bring your business to its knees. Here are just a few of the most common threats, as identified by IBM’s X-Force Threat Intelligence Index:

  • Poisoned Macros: Macros can help make software more productive by reducing the number of keystrokes needed to perform complex, but common, tasks. Though most may not be aware of it, many of the files downloaded each day have custom macros embedded in them. Unfortunately, these can be an easy way for the bad guys to sneak harmful code into inboxes inside files as basic as .docs.
  • Ransomware: This kind of malware encrypts the user’s own data so they can no longer access it, and then demands a “ransom” in exchange for the key to decrypt it. If the user doesn’t have a backup, or their need is critical, they may be sorely tempted to pay—as in a case recounted by IBM of a hospital that paid $17,000 to hackers to get its own files back.
  • Clickjacking: Not all links are visible. Clickjackers fool users by super-imposing a transparent webpage over a familiar one; though an employee may think they’re clicking a button to play a video on CNN, they’ve actually clicked the malware link hidden on top of it.

Although some of these hacker strategies are extremely clever, experienced computer users with solid workplace training are dramatically less likely to be fooled. For example, if an employee is clickjacked, they’ll still be prompted to confirm whether they wish to download an .exe file, which no video player should be requesting. A trained employee may see through the ruse, and a strong security system will block access to sites that are known to be compromised.

Dumpster Treasures

It’s a trope in the movies that, when a government is about to fall or a business is going to be raided by the IRS, there’s always a scene with frenzied functionaries hurrying to shred or burn every incriminating document. Well, that’s because the trash can (or recycle bin!) alone isn’t some kind of magical disappearing device.

Improper disposal is a security expert’s nightmare: paper documents, discs, and especially hard drives with sensitive information should never be simply thrown out. You never know whose hands they’ll wind up in. Businesses need clear and strictly-enforced guidelines about how these assets are disposed of.

Wiping hard drives is not enough, as the information they contain can often be restored by experts. It’s imperative that these devices be destroyed, and their parts recycled, to maintain information security.

Outsource Solutions

There are a lot of options out there for businesses that want to help their employees become more cybersecurity savvy. Some consultants offer courses to teach employees how to recognize and shut down common online threats.

Meanwhile, IT companies, like Continuous, offer 24/7 remote network monitoring, removing the need for a full-time staff specialist without sacrificing rapid response to developing threats. Powerful automated security features insulate businesses from many forms of attack, and can even mitigate that stubborn margin for error that makes us human.

We referenced our network security guide earlier in the article and we wanted to take this opportunity to remind everyone reading this that we have additional IT resources available on the Continuous Networks website. These guides can help with a variety of small to medium sized business needs including implementing a telecommuting network for your employees, a cloud-readiness assessment test, and a must-read guide for what to ask any potential outsourced IT solutions provider.

We’ve been in the business the technology of business run more smoothly since 1997 and we’re more excited than ever to continue offing services to businesses worldwide that “just want it to work better”. You can visit our website and schedule a consultation with our team completely free.

We’re all human, we understand that people make mistakes. The nice part about having Continuous at your fingertips is that we can help you fix it! With North American based providers like us, those “uh oh” moments don’t need to become a disaster. Time is money, and with Continuous you don't need to worry about wasting either one when it comes to technology issues in your business.