Some bad business and employee habits are innocuous. Others are the gateway to thousands or millions of dollars in losses for a company. Unfortunately, bad cybersecurity habits fall more frequently into the latter category. A 2017 Ponemon Institute study revealed that the average cost of a significant data breach is $3.62 million. That translates to $141 per lost record.
Businesses can stem these losses by breaking institutional bad habits and encouraging employees to break their own individual ones. Here are a few to consider:
- Failing to update software and systems. Software developers release updates to patch bugs and fix known security weaknesses. A company’s failure to install updates leaves it exposed to hackers that take advantage of that vulnerability. A good way to reverse this practice is to force employees to install updates on their individual workstations. Employees should schedule regular times for the updates, while managers should follow up to verify they’ve kept these commitments.
- Equating awareness and enforcement. A business might go to great lengths to train employees and to dissipate information on cybersecurity risks. But that’s only a useful way to spend your cybersecurity budget if you enforce the skills you taught. Every business needs to follow up on training. For example, verify that employees are using strong passwords and refraining from clicking on suspicious links. Businesses should also reach out to vendors that interface with their network to verify that they’re also enforcing cybersecurity training.
- Granting mobile app permissions. Make sure employees know not to accept all permissions from apps they download to work devices. This is relevant whether you have a BYOD policy or you issue company-owned phones. Errant permissions may allow hackers to access stored information, microphones, or cameras via the app. Employees and managers should verify app permissions are set up correctly whenever someone downloads a new app.
- Using free public Wi-Fi. Free public Wi-Fi is rarely secure. Hackers can easily steal information sent over free Wi-Fi networks. Businesses should ban employees from using free Wi-Fi to connect to a business’s information systems. Alternatively, the business can require all communications from mobile devices to be channeled through a virtual private network. These VPNs mask users’ locations and encrypt communications from the mobile device.
- Failing to adopt a response plan. Even after addressing bad cybersecurity habits, a company is still vulnerable to an attack. If the company has made no plans on how to respond, chaos and uncertainty will take over that response. A good plan designates an employee or team to manage all aspects of the response, including internal and external communication. It also includes a cyber protection strategy to help recover direct losses and third-party liabilities arising from the event. Carrying a cyber insurance policy from a provider that understands your risk profile goes a long way in minimizing harm.
- Employing weak back-up methodologies. Businesses are increasingly targeted by ransomware attacks that freeze access to data and systems pending payment of a cryptocurrency ransom. Few companies that back up data routinely test that data to verify that it will work to recover a lost or frozen system. A company that goes to the trouble of doing regular backups should confirm that its backup methodologies will allow a full recovery.
Breaking bad habits now and taking preventative measures will equip your company to deal effectively with cyberattacks.
Ian Dixon is a Microsoft MVP (Most Valuable Professional), founder of TheDigitalLifestyle.com tech site and producer of the weekly The Digital Lifestyle Show podcast. Ian has been writing and talking about Windows for over 10 years and has over 20 years in IT as an IT Manager. Ian has thousands of followers on Twitter and Facebook and over 4 million views on his YouTube channel.