A favourite target of hackers is small-to-medium business – as they often have higher cash pools than individuals, but lack the cybersecurity of major institutions.
No ad to show here.
But even if your cybersecurity is up to scratch, an employee who is unfamiliar with digital threats can cost you dearly.
Here are three ways your employees can put your business cybersecurity at risk:
Opening emails with malicious software
While many people have wised up to the typical scams that have become notorious over time (such as the Nigerian prince and UK lottery scams), there are still other scams that employees are unaware of.
Rather than requiring banking or credit card details, many scam emails ask users to download a document or follow a link.
It could be something as simple as an email stating “Here is a document for your attention” from an unknown sender that puts your entire network at risk.
Once the file is opened (or sometimes even just downloaded), the machine becomes compromised.
How to avoid this:
Teach your employees to be discerning when it comes to emails. If they don’t know the sender and there is little or vague information in the email header, they should rather just not open it.
Employees should also be told to not download files from emails that end in the extension ‘.exe’ as this is an application install file, which is likely malware.
This is where “rather safe than sorry” is a pertinent lesson. Rather err on the side of caution than downloading dodgy files.
Using compromised memory sticks
We’ve seen this happen with our own eyes. An employee wants to transfer files from their PC to a co-worker’s, so they bring along a USB drive from home.
If this isn’t a technologically savvy employee, their memory stick has the risk of carrying its own malicious software downloaded unwittingly from the owner’s personal computer.
While copying to and from a coworker’s PC, this virus can transfer from the USB drive onto the coworker’s device.
What to do:
Teach your employees to understand common names of PC viruses and how to show hidden files on their hardware. Therefore, if they see a file with the word ‘Trojan’ or ‘Worm’ in their name they will understand that it is a virus and needs to be deleted.
Also require them to do an anti-virus scan before transferring files between devices, so that anti-virus software can pick up any threats.
If they do find threats, it is useful to teach them how to format a drive to completely clear it of any malicious software.
Visiting suspicious sites
It’s not social networks that will cost your company dearly, after all, a Facebook status or tweet from an employee is not likely to result in your files being held ransom.
Rather, it’s untrustworthy sites or fake brand sites that are the real risk. Most workers know not to visit adult sites during work hours (we hope), but other more inconspicuous sites can put the user’s PC at risk.
The problem with untrustworthy sites is not only that they could be phishing scams used to gather important information, but these sites can result in malware being delivered to your hardware through advertisements.
Sometimes you don’t need to even click on the ad for the malware to infect your PC.
What to do:
You can adjust your network firewall settings to block access to certain sites, but you will need to do more than this to keep your company’s cybersecurity safe.
Employees will need to be taught how to recognize secure sites and URLs. One of the easiest tricks, especially when it comes to entering information, is to check whether the site has an encrypted URL. This can be determined by whether it has “https://” at the beginning of the URL (meaning it’s secure) versus just “http://”.
You should also get employees to download ad blockers for their browser if you’re worried about them visiting sites with malicious adverts.
They should also not follow any links sent by unknown users, shortened links in which they cannot see the site they’re being directed to, and links sent without any contextual information or vague information (e.g. “See what this person said about you: link”). This includes links in messaging programs like Skype, or links sent to them online through social networks.
They should also be taught to check the domain URL of a site to see whether it matches the official site of the company/brand/platform they are trying to visit.
For example, you know that Nedbank’s site URL is Nedbank.co.za, so you wouldn’t want to visit a site that is a variation or altered from this domain, such as Nedbank-za.co.za, or nedbank1.co.za.
Again, rather be safe than sorry.
Other steps for employees
Beside training employees to be cautious on their work computers and when transferring between personal and work devices, there are other steps you should take to protect your company’s cybersecurity.
You should make sure that any device used for work purposes (including phones and tablets) have reputable anti-virus software installed. This software should also be kept up-to-date so that it can recognize the latest threats.
Sensitive company information should also be protected, with only access granted for those who need to work with it (e.g. bank and company credit card details, employee personal information, etc).
Finally, you should always create a frequent backup of your essential files on a separate network. This means that if your main network and files become locked behind ransomware, your company won’t be brought to its knees.