The term “inside job” takes on a special meaning when discussing Internet safety, security and company employees. We trust them with the keys to our doors, the codes to our alarms and the passwords to our bank accounts, but do we train them how to protect that trust?
“There’s nothing important on my computer, so I don’t care too much about Internet security. Why would anyone want to mess with me?” “My business is too small for the big Internet crooks; why would they bother to hack my computers?” “Even if the bad guys do get in my computer, what could they possibly do with what’s there?”
People express excuses like these to me all the time, mistakenly thinking they are somehow immune to the ills of the Internet simply because they are too small, or too uninteresting. Only when they have experienced serious trouble do they come to me, wishing someone had shocked them earlier into the “give it to me straight, Doc,” facts about just how dangerous the Internet can be.
The “I’m too uninteresting” excuse falls apart quickly. The blunt truth is, Internet bad guys could care less what’s on your computer. They do not care if there is anything important on your computer. Sure, if they happen across a Social Security or credit card number, they’ll be glad to steal it, but they are just as interested in using your computer as a shield to hide behind while they make money other ways, like attacking banks, or distributing child pornography. By adding your computer to their robot army, it does the dirty work while bringing them their ill-gotten loot, and you take the blame when something goes wrong and your computer gets caught for crimes you had no knowledge of.
To think your business is too small to be noticed by Internet crooks is to live in a dream world. Nothing could be further from the truth. Internet gangsters often target small businesses first, knowing that small businesses usually cannot afford I.T. security departments to keep them safe. This, combined with the knowledge that small business owners are often too busy or too uncaring to provide proper safety for their computers makes small businesses easy picking for online crooks.
There is a reason why more convenience stores are robbed every year than banks: it’s easier to rob a convenience store than a bank. The same principle applies to Internet crime. Larger Internet businesses are often more well-defended, leaving the easily hacked low-hanging fruit of small business more attractive. Add to the mix computer-automated tools designed to attack thousands of businesses a day, and suddenly small Internet businesses turn into big business for the Internet bad guys.
Employees are usually the first line of defense, as they are often the ones with the most hands-on computer and Internet contact, and employee education needs to be job number one. Far too many businesses have complete and total dependence on their computers. Literally everything is there, and if the computers die, the business dies.
Employees must understand this, and treat things accordingly. They must understand the potential impact the business could experience if its Quickbooks database were stolen, or if passwords to important accounts were compromised. Rules and policies for email, web browsing and social networks must be clearly laid out and explained. Employees must understand that the computers and Internet access are business tools, and are not there to provide employee entertainment.
Policies for network access should be clearly understood, as well; can anyone put their smart phone, tablet or laptop on the company network for personal use (and potentially access company records), or should access be restricted?
Employees should also be educated regularly in the many different types of cyberattacks, such as how to recognize dangerous emails, the importance of strong passwords, the hazards found on social networks like Facebook, why updates are important, and how file backups are vital to a company’s longevity. Employees who are ignorant of or do not respect these things are not employees you want to trust your business to.
Ongoing education regarding government regulatory rules and standards can also be important. Does your business accept and handle credit card transactions? Does it use POS (Point-Of-Sale) terminals in the form of modern-day cash registers? Then you and your employees are subject to Payment Card Industry (PCI) rules and regulations, including encryption requirements. Does your business deal in customer medical or financial information? If so, you may be subject to federal HIPAA and/or Sarbanes-Oxley rules, regulations and penalties for non-compliance. Educate your employees about the importance of these areas, as well, and get them on board with making your business a success.
Dave Moore has been fixing computers in Oklahoma since 1984. As founder of the Internet Safety Group, he also teaches Internet safety workshops for public and private organizations. He can be reached at 405-919-9901 or www.internetsafetygroup.com.