Two men are walking through a forest. Suddenly, they see a bear in the distance, running towards them. They turn and start running away. But then one of them stops, takes some running shoes from his bag and puts them on.
“What are you doing?” asks the other man. “Do you think you will run faster than the bear with those?”
“I don’t have to run faster than the bear,” he responds. “I just have to run faster than you.”
That same mentality will help owners drive change in their businesses to safeguard against data breaches, by helping their employees understand the importance of their own behavior in protecting the reputation and financial assets of the company. While perfect online security is not attainable, there are actions and habits within the control of the owner to make the company a less attractive target. And while advancements in security software continue, employee behavior still represents the highest level of risk to organizations – and the greatest area for improvement.
Employee behavior still represents the highest level of risk to organizations.
According to the 2016 Cyber Security Intelligence Index by IBM, 60 percent of all attackers are “insiders,” defined as anyone who has physical or remote access to a company’s assets, including hard copy documents, disks, electronic files, laptops and information in transit. This list of insiders includes business partners, clients, maintenance contractors, vendors and employees. Many insider attacks are not conducted with malicious intent; they are inadvertent or accidental actions that result in a data or security breach. In either case, the results can lead to serious financial and reputational loss. That’s why it’s important for the leader to communicate expectations across all levels of the company.
To aid the small business owner, we offer this data security checklist to assess the strength of the company’s systems, processes and employee awareness:
- We have established risk tolerance levels for different parts of our business.
- We have identified and prioritized the high risk areas that contain confidential business information.
- We have documented a business information protection plan and review it at least annually.
- We protect company computers and networks.
- We use the latest software versions and apply patches on a regular basis.
- We have implemented a firewall on all company computers and at the perimeter of our Internet access.
- We filter emails and Internet traffic.
- We back up computer data nightly.
- We monitor remote access and require dual factor authentication for remote access connections.
- We have redundant technology and communication lines in place to minimize downtime and prevent loss of important data.
- We have created a culture of security awareness among employees.
- Employees know what a suspicious email or request looks like.
- Employees know not to click on links or open attachments from people they don’t know.
- Employees do not send confidential account or personal information via email unless it is encrypted.
- Employees understand the symptoms of an infected computer.
- We have tested our employees and the results are satisfactory.
- Employees know who to contact within the company if they receive a suspicious email or phone call.
- We have a written incident plan if we fall victim to a data or security breach.
- We identified high risk systems and transactions.
- We defined key contacts and specific actions to take to mitigate data loss.
- We test it periodically to assure effectiveness and refine accordingly.
A downloadable version of this form is available here.
All of the aforementioned “haves” are de facto “have nots” without strong support from the business owner, who should be the primary driver and motivator for a secure workplace.
To stay updated about fraud prevention and other timely business topics, register for our business series.
For employee education tools and resources, visit our fraud resources center.