By CURTIS PARTRIDGE
Failures in cybersecurity are continuing to garner front page news coverage. The latest is the fear that hackers have accessed more than 500 million customer records in Marriott International's data systems. Cybersecurity needs to be a real concern for businesses of all sizes.
According to a recent Enterprise Phishing Susceptibility and Resiliency Report 91 percent of cyberattacks begin with a phishing email. A Phishing email is a message that directs a user to visit a web site to update personal information or credentials such as bank account numbers, passwords, credit card information, or social security numbers.
Another form of attack is "vishing" or voice phishing scams where a convincing criminal calls an employee to obtain secure information. Voice scams can be more insidious because people tend to believe a phone call a "secure" form of communication. Either way it comes down to criminals taking advantage of the general trusting behavior of humans.
The cybersecurity experts have developed many tools and practices that protect practice data, but the most essential element of any good security protocol is employee training. Employee training can feel time consuming, but it doesn't have to be expensive. The cost of one cybersecurity breach will be far more time consuming and much more expensive.
What do you share with your employees to protect themselves and your practice?
- Encourage employees to consider their own safety as well as the security of the company. Criminals are searching for employee personal information as well as company data. Create a privacy culture in your organization.
- Ask employees to be open and question any odd-looking emails or phone calls with supervisors or practice IT professionals.
- Make your cybersecurity training steps actionable. A training program with one to three practical actionable tips on what people should or should not do will make it more memorable. A follow up later will help to cement the tips in user's minds.
- Don't cover more than three topics in a training session. Continue to revise and improve training material and offer follow up training every 90 days or so.
- Make cybersecurity training mandatory for everyone. Today everyone receives email and phone calls and it is best to not leave anyone behind.
- Be creative and have fun with the process. Prizes and games are a fantastic way to keep the conversation lively and interesting.
- Utilize tools available to test your employees. There are free or low-cost tools to send test emails to employees available from Microsoft and others. Don't call out individual employees for failure but use it to gauge the overall readiness of your staff. This also assists you in finding training subjects for future sessions.
It is important to not assume your employees know. Frequent reminders also keep security top of mind. You can also stress the importance of employee cybersecurity by providing a personal data plan as an employee protection. Personal information plans can be purchased inexpensively in a group setting.
Curtis Partridge has over 20 years of experience in information technology focused on small to medium businesses. He has been a corporate IT manager as well as a consultant. He is currently Senior Systems Engineer for Lotus Management Services consults with businesses to implement and manage technology solutions.