Knowing where to start with cyber security can be daunting. I’ll make it easy for you — start by having a conversation with your employees. It’s free.
You’re an entry point to your biggest customer
In fact – these businesses are often more attractive. They have weaker online security – most aren’t running penetration tests or even requiring that employees regularly change passwords. They don’t use encryption – which makes it easy for hackers to access sensitive data. If you do business with a large company you’re not even a target, you’re an entry point.
Think about that – for a hacker you’re just an entry point to your biggest customer. You’ll be the wooden horse that the Greeks used to enter the city of Troy. If you think it’s hard to close deals with them now, what happens when you are their biggest liability?
You can actually evaluate your company’s security posture with a free simulated phishing attack.
Fun Fact: We started our company after answering a similar question and not being able to find a convenient way to train employees.
Most attacks start with employees
If your business is an entry point to your biggest customer, what’s the entry point for your business? There can be many, but the #1 entry point is through employee actions. That’s why you’ll see your large customers asking whether you provide annual employee training. You’ll see the same question from an insurance provider when they include cyber coverage.
Quick Tip – Most providers include something like $25,000 coverage which is not sufficient to cover the cost of a security incident.
We provide small and medium sized businesses the ability to train, track progress, and certify employees have taken the training. However, we’re nerds before businessmen, so we’re telling you how to have this conversation with your employees – for free.
Conversation With Your Employees
Your conversation with employees should be simple and basic so they can understand how to recognize a threat, and identify/mitigate that risk. This is the conversation you should have in this weeks team meeting.
1. You play a significant role in our security program
(For dramatic effect I recommend pointing at individual team members.)
Jody – you’re an excellent secretary and a target for hackers. Since hackers know you likely have access to my passwords or some accounts, its common for them to impersonate me in an attempt to access that sensitive information. Once they do, our firm, customers, and employees are at risk.
Steve – you’re a top sales guy and always on the move which makes you a target for hackers. You access information from multiple devices and connect to Wi-Fi at the coffee shop to get your proposals out. Criminals can access information being sent over unsecured Wi-Fi, so we always recommend using the Hotspot on your company phone.
Jamie – the sticky notes on your computer with passwords written on them have to go.
2. Watch out for phishing attacks
A phishing attack is a common way that hackers try to steal or learn information from you. They will imitate another person or company in an attempt to gain your trust. It could be a phone call or an email.
Banks do not request sensitive information over an email – so be cautious of anyone asking for sensitive information on an email. Our IT department will never ask you for your password – whether it’s on the phone or in email. If you receive a request asking for your password you should call me and Bill in IT immediately.
Never open a link in an email unless you’re 100% sure the link is authentic. A quick test is to check the sender – is it someone you know? Are the name and domain spelled correctly? Then check the links by hovering over them – are they directing you to the place you want to go (for example www.yourbank.com, or is it a fake link going to www.yourebank.com).
3. Computers and Passwords
Our computers are entry points for all of our sensitive information. You should ALWAYS lock your computer when you stand up from your desk – whether you’re leaving for the night, grabbing coffee, or using the restroom.
Your password should be difficult to guess, easy to remember, and changed quarterly. You may not use the personal password from social media sites for your company password. An easy way to meet this criteria is to pick a phrase and use the first letter of each word, and add some special chracters.
Here’s my example –
I’m a new dad, so ‘Papas Gonna Buy You A Billy Goat’ would be PgbYaBG#3
I’m a corny dad, so ‘My Milkshake Brings All The Boys To The Yard’ would be MMbaTBTTy5#@.
Before You Go
This list is short and sweet. Wuvavi provides an employee cybersecurity platform that covers a more extensive list of topics, simulates phishing attacks, and tracks/certifies completion for every employee. Wuvavi will let you put your employees to the test with a free phishing attack. However, the most important thing is for you to have this conversation with your employees – whether you use this post as a guideline or deploy an employee cybersecurity platform.