Lately, many of us have heard the news of system hacks or data dumps where nefarious actors accessed sensitive information and exploited its use. Some may think that gaining access to private servers requires years of intense technical skill, unlimited resources, and an intention to steal ONLY YOUR information. In reality, many data hacks can be done relatively quickly and cheaply to obtain all types of information. Here are few tips employers can use to safeguard themselves and their employees.
Adopt a Password Management Policy
Employers should adopt a password management policy for all devices, web services, and applications. The policy should include rules for sharing user access to web services and applications, password construction, and multi-factor authentication requirements.
Many web services and applications designed for business operations allow license holders to have multiple logins. Instead of creating a single account with one username and password, employers should consider requiring each employee that accesses the system to create and maintain their own login information. Thus, employers can minimize exposure of that login information being stolen to access the service.
Passwords can be an entry point for various forms of cyber threats. Therefore, employers should require strict rules for employees allowed to set up their own accounts. Passwords that offer the most security should include the following characteristics:
- At least eight or more characters in length.
- Contain upper and lowercase characters.
- Contain multiple digits and symbols.
- Must not be an identifiable word like “password.”
- Must not contain an identifiable characteristic attributable to a person or place like “janedoe1” or “Clevelandrules5”
Finally, employers should consider requiring employees to establish multi-factor authentication on devices and web services. For example, once an employee attempts to log into a web service like the employer’s email system, a multi-factor authentication system will send a message to the employee’s phone or email with a single-use passcode to enter the web service. That way, if a third party tries to maliciously gain access, the web service will notify the employee.
The Power of Phishing Scams
Phishing involves a third party sending an email to an employee’s email address requesting sensitive information or contain malware linked or attached to the email. Phishing scams are often the easiest way for hackers to access private systems and steal sensitive information.
The Federal Trade Commission (FTC) offers advice on how to train employees to identify and report phishing scams. Tips include looking for emails that request an employee to send personal information login credentials, the email appears to be sent from a legitimate website, the email states your account is on hold or requests the person receiving the email to click on a link or download a file. In addition, employers should maintain security software to thwart these scams, require employees to automatically update employee-owned devices, use multi-factor authentication, and back up their data on an external hard drive or the cloud.
Require Mandatory IT Training
Many employers these days have some form of internet service. Whether they use sophisticated credit management systems or a simple email account, local governments and small businesses use the internet in many ways. If you have an IT department or retain IT services, inquire whether you can establish a periodic IT training regime. In addition, ask your IT professional for occasional cybersecurity updates, helpful tips, and issues to know for employees to keep data safe. Finally, encourage employees to notify IT or supervisors of red flags with an employer’s system.