a cautionary perspective
DC the Computer guy
Providing IT support to small businesses has allowed me an intimate look into how they operate. Over the years, I’ve noticed that most of these started because the owner was good at a trade and not necessarily because they were good at business. Most, including myself, do not have a formal business education, instead, they learned how to operate their business as it grew.
I’ve always been a student of people and have paid attention to how my clients manage their businesses over the years. Sure, I liked seeing what they were doing and noted their successes, but I paid particular attention when things went wrong. I feel strongly that there are many more lessons to be learned from mistakes and challenges than from when everything is running smoothly.
And that brings us to this blog, which is about security awareness. My usual routine is to spend more time contemplating what I’m going to write than actually writing. I like to work out the full story in my head before I sit down to write the first word. When thinking about this blog, two clients kept coming to the forefront of my mind. The first client, whom we’ll refer to as Client A, places an emphasis on ensuring that their employees are aware of the security threats around them, while the other, Client B, does not see the value in it.
LESSONS LEARNED OR LOST
Approximately 10 years ago, Client A had an employee that clicked on a link when they shouldn’t have. This resulted in their entire file system being encrypted. Luckily, as our client, we had everything in place to help them to recover from this threat. A long weekend of restoring backups and rebuilding the infected computer was all it took to get them back up and running, but the scare of losing all that information taught this client a valuable lesson. Since then, she has ensured all employees are aware of security threats – knowing how to spot them and the process for dealing with them.
Learning from that incident, Client A has maintained its security awareness and has since kept the environment secure with zero security incidents, zero malware infections, and zero viruses.
On the other hand, Client B calls CLARK routinely with issues like slow computers and network performance and lots of malware and virus issues. And yet, no matter how often one of the employees, or himself, clicks on a link and infects their computer, this client refuses to consider cybersecurity practices. Where Client A is preaching awareness, Client B is in a vicious loop of break and fix – so each time their employees break something, we go in and fix it.
SECURITY VS. UNCERTAINTY
Security experts will tell you that most security incidents – nearly 90 percent – are due to Human Error. If you know this, then it makes sense to take the time to educate your employees on how to recognize and avoid these threats so that you have fewer incidents, such as a computer being infected with a virus.
I’ve pointed this out to many clients over the years, and the ones that have listened call us less, while the ones that don’t call us often.
How do you this break this cycle?
Well, there are two basic approaches. Either hire a company like CLARK to provide security awareness training or educate yourself on the threats your industry faces and provide training in staff meetings. When it comes down to it, employee awareness is the key to mitigating these threats – your role is to decide how to go about bringing that awareness.
At CLARK, we provide security awareness training through multiple formats, including a monthly newsletter, but our primary channel is a weekly staff meeting. It covers a range of topics – but one of the most important, if not the most, is security awareness. As a small business owner, I feel it is extremely important to stay on top of security threats and set the standard for all employees to follow.
In our staff meetings, newsletter, and email updates, we cover many topics, some of which are specific to our industry, but I advise clients to start with these topics:
HOW TO AVOID PHISHING AND SOCIAL ENGINEERING ATTACKS
Phishing and social engineering are the most significant threats facing our clients today. I routinely look for news articles covering both topics and pass them along to all of our employees, both for their knowledge and so they can pass the information on to our clients. In our staff meetings, we cover not only what to look for to avoid falling victim, but I discuss new techniques that cybercriminals use. Doing this ensures that our employees know what to look for, which goes a long way in protecting information.
I can tell you with certainty that clients that keep their employees aware of existing and emerging threats rarely call us for issues like viruses, malware, or encrypted files.
THE IMPORTANCE OF MANAGING PASSWORDS
Strong Passwords and Password Managers are crucial components of network security. Ensuring that employees are following password best practices strengthens your security and provides them with the information they need to keep their personal information safe. Knowledge of the fundamentals, such as having unique passwords on every account, the importance of not sharing passwords, and understanding how cybercriminals steal passwords, will go a long way toward ensuring your business information is safe.
WHAT TO DO WHEN THE WORST HAPPENS
It’s essential to explain to your employees what to do if they fall victim to a cyber threat. No matter how prepared we are, it can happen, and it has been proven that those who react quickly to mitigate the threat will significantly reduce the impact of a hack.
In today’s world, threats exist all around us. Automated attacks constantly target us through text, emails, and infected websites. Teaching yourself and your employees about these threats, sharing best practices, and reacting to a breach is a proven way to reduce the risk of a successful cyber attack. It takes everyone on your team to protect your business’s information from cybercriminals. One weak link can spell disaster for a small business!
President And Owner
I left big business to start Clark Computer Services in 2003; not because I had a grand vision, but because I had three young children who needed their Dad around. Knowing I had to replace my salary, I went door-to-door visiting small businesses to introduce myself and ask if they needed IT support. I heard story after story from business owners and office managers about IT companies not returning calls and emails, grumpy technicians showing up late or not at all, and systems being down for days, weeks, and in some cases…months. I realized quickly that there was a clear and pressing need for reliable, honest, and professional IT support completed pleasantly and on time.