“Data breach can’t happen in our company, we are not big enough to be a target.”
Have you ever heard someone say this in your company? Whether an intern or an owner, having anybody on staff who thinks their company is exempt from a cyber-threat or a data breach is an internal red flag and great cause for concern.
Oftentimes, company owners or employees think just because they have an IT person or IT department, everything is in place. It’s like the homeowner who makes certain the deadbolt is locked when he leaves the house, but the windows are open.
Needless to say, the best protection against cyber-threats begins with your employees.
Thinking precedes action. If you or your employees are guilty of any of these, it may be time to take a closer look and learn how you can reduce your company’s vulnerability.
- Thinking that one particular protective system will protect another
As a non-IT person, it is characteristic to presume the company provides the needed protection to safeguard against all threats. However, for example, a firewall will detect hackers coming in, but, if an employee brings a flash drive in and plugs it into their computer, they may unknowingly unload a virus onto their computer and, then, onto the company network. Imagine, the employee has already walked through the network barrier (firewall) as a trusted person.
What to do?
Help your employees become aware of the threats that could be unleashed when they bring in and connect their own devices (including their iPod, cell phone). While they may think their connected device is free from viruses, the reality is that it could be set so that the virus is released upon startup, running a particular application, music files, etc. Which leads us to our next point - - Connecting personal or untrusted storage devices or hardware into computers, mobile devices or networks.
You would be surprised to learn how many people let curiosity get the best of themselves and plug in a flash drive or CD/DVD they may have found lying around and readily connect a flash drive or other device to their computer.
What to do?
Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown or untrusted hardware into the system or network, and do not insert any unknown CD, DVD or USB drive. Disable the “AutoRun” feature for the USB ports and optical drives such as CD and DVD drives on business computers to help prevent such malicious programs from installing onto the systems. Talk to your IT professional about disabling USB ports or restricting the use of unknown devices.
- Broadcasting your SSID (also known as the wireless network name)
Another way a company I/T managers can help tighten the protective cyber-threat barrier is to ensure the company SSID is not broadcast. Your I/T administrator can disable the SSID broadcast that will ‘hide’ your company network. While the network is still there, it will be more difficult for the “Average Joe” to discover. When hacking turns into too much work, they will likely bypass that system as there are plenty of other easy targets out there to infiltrate.
How easy is it to get into your company system? Think of it this way – when your SSID is freely found in cyberspace and listed for folks to log onto, a hacker only needs your ID to get into your system. And, to a hacker, that is the easy part.
What to do?
Most business owners think if they require guests to enter a password then the data is secure; but that is not true. To mitigate risk of an unauthorized user accessing your company data, first, learn which type of network your system is using and then consider your options:
WEP system
This is a weak security standard and one that can be hacked in minutes. Consider updating your system ASAP.
WPA system
While this is a significant improvement over WEP, be aware that WPA is built on WEP’s key structure (RC4) and thus retains some of WEP’s vulnerabilities.
WPA2 system
WPA2 is the current standard. WPA2 uses an encryption device that encrypts the entire network and is the most secure form of Wi-Fi. Your network administrator can configure this. However, in the absence having an IT administrator on staff, we suggest folks consult with an IT company that can perform a systems or security check on your Wi-Fi network.
- Thinking public Wi-Fi is safe
Many think a password-protected public Wi-Fi connection assures data security. According to the Norton Report (2013), 68% of public and unsecured Wi-Fi users were subject to cybercrime. The reason? Older standards for encryption, which is out of the users’ control, is the likely culprit.
What to do?
Using a public Wi-Fi with WPA2 connection will provide a better level of security. When logging onto a public Wi-Fi system, take a closer look; noting if the network has a WPA2 connection will create a more secure browsing experience.
When you must use a public Wifi, your best bet is to use an SSL-VPN. If that is not an option, you can also turn off file sharing, use Browser protection add-ins like “Comodo Dragon” and always use HTTPS. While these option will not fully protect you they will make you less vulnerable.
- Thinking your company has nothing worth hacking
Whether a company conducts only one piece of business or is a robust conglomerate with countless transactions, your personal identity or the personal information of your employees, customers, or even browsing habits, are all fair game in the eyes of a hacker. Knowing that hackers collect pieces of data that, together, gives them the opportunity to infiltrate a system or someone’s persona is powerful.
What to do?
Ensure, at minimum, that your company is staying up-to-date on the latest security and software patches, implementing complex passwords or even better – passphrases, AND be sure to train your employees on I/T security – this is critical!
Final thoughts
Keep in mind, anything you are sending or receiving over a Wi-Fi network is the same as broadcasting your message to the world. Investing in protection and security safety before something happens is optimum. Security is 10% technology and 90% user.
If you have questions about internet security, protecting your company’s data, or ways in which our consultancy group can help mitigate your risk, contact me at 216.831.0733 or MJaworske@zinnerco.com. I’m happy to help and ready to start the conversation.