When it comes to information security, your people are your weakest link
Google ‘information security’, and you’ll find no end of articles focussed on the technical aspects of keeping your business safe: Firewalls, patching, IDS, SSL, VPN, 2FA, DLP and a bunch of other three letter acronyms. But when it comes to information security, it’s people - that’s you and your staff - who are actually your business’ weakest link. That’s right: the most gaping security holes have less to do with technology, and much more to do with a few universal human traits. Here are the ‘big four’ attitudinal weaknesses I see time and again:
1. WILFUL IGNORANCE
It’s tempting to dismiss information security as an ‘IT problem’. But it’s really a business risk issue and deserves your personal time and attention. After all, what could be more valuable to you than your IP, your customers’ data, or your reputation? You owe it to your business to educate yourself on the risks and how to mitigate them. And please, don’t just assume your IT guy/gal has your security covered - satisfy yourself definitively that they do. If not, shop around until you find a managed IT provider who does.
2. UNWARRANTED COMPLACENCY
Otherwise known as “I don’t need to worry about security because no hacker is interested in my little business down here at the bottom of the world.” Assuming a hacker targets you specifically is like assuming that all that the spam you get was written specifically for you. Cyber attacks like ransomware are indiscriminate and work on the idea that if they hit 20,000 organisations and get a 0.1% hit rate, that’s still 20 people that will pay $5000 each (a cool $100,000). Almost one in five Kiwi small businesses fall victim to cyber attacks every year (and that’s just the ones who report it), losing an average of $19,000 each.* The internet is global, and complacency almost guarantees you will get burnt.
3. BLIND TRUST
We Kiwis are a trusting lot, but when it comes to information security, healthy skepticism should be your default attitude. That means not opening unusual emails or clicking on suspect links, and learning to recognise common ‘phishing’ scams. Phishing attacks are becoming increasingly sophisticated and alarmingly common. Forget the stereotypical email from Nigeria; today’s phishing emails are likely to look like they come from a trusted organisation, such as your bank or a government organisation. ‘Spear phishing’ attacks are even more targeted, and look as though they were sent from your own staff or a supplier. The lesson? Always pick up the phone before making that bank transfer.
4. NEED FOR SIMPLICITY
People who work in small businesses are some of the busiest people around, and they tend to wear many hats. As a result, we often simplify our security as a practical solution. If a client calls up wanting to talk to Janice in accounting, and she’s on leave today? Sure, I can log into her computer and give you that information. Chances are though, that Janice has the same password for her accounting software, her computer, her email, and the payroll app. It’s probably also written on that sticky note on her desk, right next to the picture of her dog. So what happens when someone walks into the office to do a ‘WIFI audit’ with a clipboard and a hi vis vest, and walks up to Janice’s desk? Or when the vendor of the payroll app gets hacked, and all their customer passwords are stolen? Information security is one area where cutting corners is always a bad idea.
Cyber crime is a very real risk facing all businesses - big and small - and cannot be ignored. If you need help addressing these all too common human weaknesses, get in touch with me here. A big part of my role as ‘virtual CIO’ for HUM customers is helping them to establish processes that support security best practice. I’d be happy to help start you on the journey to a safer, smarter business.
*Source: Norton New Zealand SMB Cybersecurity Survey, 2016