With hyper-connectedness and a burgeoning global cybercrime industry, a company cannot afford a cyber attack. It is essential to establish policies and procedures to minimize risk and train employees to protect your company.
Basic criminal acts to guard against include:
+ Theft of proprietary or sensitive business data that could be sold to competitors or other hackers,
+ Installation of “ransomware” that locks you out of your own data until you pay the cybercriminals’ demands,
+ Malicious damage to your system, such as crashing your website to prevent customers from accessing it (often referred to as a “denial-of-service attack,” under which hackers overwhelm your site with data requests), and
+ Theft of employees’ personal information to eventually steal from them.
Building a defensive strategy starts with recognizing that, even with the best technical external barriers in place, you could fall victim to an employee who goes rogue, or even joins your organization specifically with cybercrime as a goal.
Hiring managers should be mindful of these risks when reviewing employment applications, particularly positions that involve open access to sensitive company data. It is another checklist item when reviewing applicants with unusual employment histories. Checking references and conducting background checks is also a good idea.
In the same way, it is advisable to include a statement in your employee handbook informing employees that their communications are stored in a backup system, and the company reserves the right to monitor and examine computers and emails, sent and received, on your system.
When such monitoring systems are in place, prudence or suspicious activity will dictate when they should be ramped up.
DHS Tips for Employees and IT Staff
It is useful to establish a policy encouraging employees to report any suspicious computer-based activities observed around them. Of course, you do not want to foster employee paranoia or promote spreading baseless accusations. By deploying more eyes and ears, cyber bad behavior can be detected and avoided.
The largest threat is not employees may intentionally commit cybercrime, but that they might inadvertently open the door to external cybercriminals. The Department of Homeland Security (DHS) considers cybercrime serious enough to offer eight tips for employers to pass along to their employees:
+ Read and abide by the company’s Internet use policy.
+ Make passwords complex — use a combination of numbers, symbols, and letters (uppercase and lowercase).
+ Change passwords regularly (every 45 to 90 days).
+ Guard user names, passwords, or other computer or website access codes, even among coworkers.
+ Exercise caution when opening emails from unknown senders, and don’t open attachments or links from unverifiable sources.
+ Do not install or connect any personal software or hardware to the organization’s network or hardware without permission from the IT department.
+ Make electronic and physical backups or copies of critical work.
+ Report all suspicious or unusual computer problems to the IT department.
Employees that follow these steps serve as an additional layer of protection against cyberattacks.
Employees responsible for maintaining a secure system, DHS offers the following advice:
+ Implement a layered defense strategy that includes technical, organizational and operational controls,
+ Establish clear policies and procedures for employee use of the organization’s information technologies,
+ Coordinate cyberincident response planning with existing disaster recovery and business continuity plans across the organization,
+ Implement technical defenses, such as firewalls, intrusion detection systems and Internet content filtering,
+ Update the existing anti-virus software often,
+ Follow organizational guidelines and security regulations,
+ Regularly download vendor security patches for all software,
+ Change the manufacturer’s default passwords on all software,
+ Encrypt data and use two-factor authentication where possible,
+ If a wireless network is used, make sure that it is secure, and
+ Monitor, log and analyze successful and attempted intrusions to the company’s systems and networks.
What else can be done? Businesses are encouraged to protect their computer systems further by buying cybercrime insurance. Alone, this will not prevent victimization, but it can offset some of the financial damage in case of a successful attack.
In addition, most insurers perform a rigorous risk assessment before issuing a policy and setting premiums. The results of such an assessment can be quite eye-opening for business owners.
If you decide against buying insurance, it might be useful to have a consultant conduct a cybercrime exposure risk assessment anyway. The growth, ubiquity and high cost of cybercrime has spawned a large industry of cybersecurity consulting firms. Unless your company already has a robust IT staff with expertise in cyber-risk mitigation, you will save time and money engaging a third-party vendor.