Keep Your Company Data Safe – Raise Employee Awareness!

A Company’s Best Asset can be it’s Greatest Weakness too!

It should be part of a company’s regular meeting process to highlight how Data Protection is a critical part of every employee’s role:

Every person who is responsible for using any data in the company needs to remember

• Stop & Think – If an external source is asking for company information the employee needs to stop and think why am I being asked for this information, who will be using it and for what purposes?
• If an employee is using information from outside sources, they need to think – is this information verified by a legitimate source? Do I need to check further before trusting this information?

Companies need especially to empahsise the risk of a data breach from user carelessness! Too much damage can result from just a single click!

Most people want to be helpful – but you need to re-train your employees to be extremely vigilant and aware of what information they should limit. 

A phishing attack is one where an attacker is looking for information they can use for fraudulent purposes – they attempt to get this information by getting people to reply to information requests, or to click on email links to fraudulent sites or get people to reveal important financial details.

Sometimes these attempts are done in stages whereby a front line employee is approached for information that sounds harmless like internal email addresses of managers in the company but this then allows attackers to impersonate the email addresses at a later stage and get more targeted information from unsuspecting employees.

If you get a text or email, even one seeming to be from your boss – check the name matches the email address – if the tone of the message feels off then be wary!

• Employees should NOT give out unnecessary information on a phone call.
• They do not need to answer everything they are asked by a cold caller. They should be trained to give stock answers if they feel they are being pressured to give out company information.
• It should be standard practice to get a contact number and call back details for a manager to ring back if the employee feels that a cold caller is phishing for too much information.
• If you are being asked for a lot of information or feel under time pressure by the caller to give information stop and ask yourself why?! These callers are skilled at getting answers to questions, at putting people under an imagined deadline, at adding to pressure in order to get information they need.

Employees need to be able to recognise, neutralise and report any attempts by unauthorised people to get company data for fraudulent purposes. The risk from a large number of attacks can be hugely reduced if employees are continually vigilant and educated in protecting company data.

• If a company you know contacts you by email and says that they are changing their bank details – do not take this at face value! It is easy to make an email appear as if from a legitimate company.
• Ring the company using a phone number from a verifiable source (not the email you received!) and check with them if they have changed their bank details. A large number of people are victims of this change of bank details scam.

Phishing attacks succeed when people don’t stop and think. Always double check if it is safe to click on a link, if it safe to give out information, if it is safe to do what is being asked of you especially if it is against a deadline.

If the worst happens and an employee suspects they are the victim of a data breach they need to know to report it immediately to a designated person in the company and that they will be supported in fixing the issue and ensuring that it won’t happen again. If an employee fears reprisal from a data breach they are less likely to report it and the longer the vulnerability exists the greater the cost and damage associated with it.

As well as phishing attachs you have Malware Attacks whereby an attacker uses virus infected software which installs because a user clicks on a link or doesn’t check the application or toolbar they are installing is safe. The users’ computing device then allows an attacker back door access to a company’s information via the infected device on a company’s network.

Every company should have training sessions on data protection with every new employee and frequent refresher courses to ensure employees are hyper-vigilant about NOT clicking on links in emails or opening email attachments.

• If you get an email, even if it appears to be from a reliable source, never click on a link or open an attachment without first scanning the email and attachment with anti-virus and anti-malware software.
• Never install unapproved toolbars, apps, games or any other piece of software that hasn’t been checked for malware by the company’s IT department.

A company’s firewall only prevents access from outside attacks – if an internal employee clicks an email link containing malware or trojan horse virus then the damage is done internally.

Other areas where data protection can be weak and where company’s can raise data protection awareness: 

• If an employee relies on a password only to protect data then the data can be vulnerable to brute force attacks on passwords – use MFA to increase levels of protection
• If an employee is careless with creating weak passwords and or storing them insecurely – use password managers to create strong passwords and keep them safe
• If an employee uses the same password across different accounts and data – password managers can run security score reports and highlight this weakness for you.
• Plugs in virus infected personal devices into company computers or network – employee handbook or induction training should highlight the company has a policy against this.
• Creates rules in email accounts auto forwarding items from email to external accounts – this should be limited or prevented as much as possible – employees should be aware of what data is leaving the company – everything should be checked first before being sent.

Every company should have data protection policies in place:

• Enforce Multi-Factor Authentication (MFA) for all employee accounts – this is where a user needs a password and one other piece of user specific data e.g. authenticator code from mobile phone or fingerprint to access a company account. Passwords alone no longer provide sufficient protection, MFA gives an additional level of security.
• Use a reliable Password Manager – Make employees aware that having one password on different accounts is a no-no! Provide them with a secure Password Manager Application that will keep track of passwords for users and stops the need for writing them down on paper, having just one password on all accounts, having weak passwords etc.
• Enforce a policy whereby personal devices are not inserted into company computing equipment.
• Companies should ensure they have separate Wi-Fi network segments for guests and external users of the company’s network. The IT department needs to preform regular checks of network ports access and use, wifi network traffic and make sure firewalls and security system software and firmware is updated regularly.
• Companies should have tried and tested backup and restore procedures in place.
• Operating systems and software on all computing devices has to be kept up-to-date and antivirus and anti-malware software on all devices needs to preform regular scans so as to detect any unauthorised files or applications.
• Companies should have their IT department preform regular checks of audit logs e.g. MS 365 subscriptions allow companies to limit access to company data only from specified trusted domains or ip addresses, also audits of logs show if non-owners of accounts have accessed email accounts and if unauthorised email rules etc have been set up without approval.

Data breaches are expensive – in addition to in the information lost or fraudulently used there is the cost of damage done to the company’s reputation and the not insignificant cost of reporting and resolving the data breach to the Data Commissioners of Ireland.

The strongest defence a company can have is a layered one – one where multiple policies are in place to defend against and limit any data breaches. A company’s first line of defence are its’ staff who must be continually aware and educated on the risk to company data and their role in protecting their company data.

We in Eonvia are happy to assist you in setting up data protection policies, backup procedures, and preforming audits of your company logs and computing equipment to ensure you are in the best position possible to limit your company’s data vulnerability.