Many business owners are surprised to learn that a large portion of hacks are inside jobs. For example, disgruntled employees or suppliers, or a former employee with a grudge. Plus, some hacks are caused by one of your staff triggering or enabling an outside hack.
Here are five effective ways you can make “on premises” IT security improvements and decrease the odds you will be hacked by someone with physical access to your technology:
#1 Add a front desk sign-in log and a camera system. Plus restrict who can access your back room
Review your security access plan with your building and implement a sign-in process for visitors. Restrict who can access your offices, and take security measures to prevent someone from wandering into your backroom and having physical contact with your servers and technology. Your server room should be locked with a keycard that logs the people that have access and records the date and time of when they access the room.
#2 Analyze how you and your employees remotely access the data at your office
If the only protection against someone accessing your business’s proprietary data from this device is a simple password, it is time that you make significant improvements to the security of your data and how employees are granted remote access.
An option for businesses is implementing multifactor authentication (MFA). This is a security system that requires more than one method of authentication to verify the user’s identity when logging in. An example would be a text sent to the person’s mobile phone with a 6-digit pin number that also needs to be entered. The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database.
It is also a good idea to create separate share drives for more critical information and limit access to that data on a “need to know” basis. Instead of setting up access to these share drives by person, set up groups of people with specific access levels. This way, when people are moved to new roles or departments their access levels automatically follow the job description.
Periodically audit your remote access policy. Don’t make the mistake of becoming complacent with your security just because you have been without incident. If you are only using two-factor authentication for remote access, consider adding a third to increase protection.
#3 Create a phishing policy
Train employees on how to spot phishing scams and what to do when they think they might have been the recipient of one, or even worse… activated one.
Provide them with examples so that they get an idea of what phishing attempts look like. Give them a set of guidelines outlining what information they are able to disseminate and what information is proprietary. Make sure this policy is in writing and highly visible. Train all new hires on this policy immediately. Lastly, hire a security firm to proactively phish your employees. This proactive technique will give you a better idea of your risk level so you can supply additional training for the employees that click on the fake phishing email and require further guidance.
#4 Request a security plan from your IT provider
A skilled IT provider will provide your business with an adequate level of cyber security protection. They will be able to point out your weaknesses and areas of vulnerability. They can also provide you with helpful tools to train employees on how to protect sensitive data and not fall victim to cyber-crimes. Most IT providers have a handy checklist or short guide they provide to their clients.
#5 Conduct an all-staff security meeting and assemble a technology committee
Go over ways that you and your employees can collectively improve security. For example, if you see a USB that’s not yours, give it to IT, even if it has your company’s logo on it.
Take things one step further and assemble a technology committee. Provide employees with additional incentives to participate in this committee and take on an active role in conveying the importance of cyber security, enforcing security policies, and fostering discussions on ways to improve security.