Lots of people enjoy a good scary movie or tv show, and I’m no exception. Sure, monsters, ghouls and goblins are frightening, but you know what really keeps me up at night? The fact that the number one cause of a data breach is a company’s own employees.
No matter how hard IT professionals work to implement secure technology and keep it updated, there is always a vulnerable ingredient in the mix: the individuals using that technology. There are plenty of bad actors out there looking to trick you, and the consequences of a data breach can be staggering. Violations of data security regulations, whether intentional or not, can cost millions of dollars in lawsuits and fines. But don’t be paralyzed with fear – there are steps you can take to minimize the risk.
As an HR or Recruitment professional, the most you can do is worry about your slice of the pie. If I’m crossing the street, I want to take a moment to look both ways. When it comes to data security, a few extra moments per day can be a lifesaver. Knowing and understanding that the most likely way a hacker will take a bite of your slice is by tricking you is the first step.
One thing many security folks don’t like to admit is that security comes at the expense of convenience. There is nothing convenient about having to re-verify a website login with a text or push notification to your phone, or having to constantly update your password and then getting locked out of your account as other devices try to automatically log you in using your old saved password. There is nothing convenient about not being able to trust your email completely. However, as anyone who has dealt with a data breach can tell you, those inconveniences pale in comparison to the pain of suffering a data breach: the pain of your company’s data being locked and held for ransom; being sued by clients for losing their data; or getting fired for not following policies designed to keep that data safe.
Here are some practical tips that will help you look both ways before crossing the digital street:
- If you’re unsure a message, file, or call is legitimate, STOP! Ask for help and/or validation before you act. That includes downloading any files, clicking on any links, and responding to any calls.
- Check with IT, and/or call the individual directly to verify the request. Even if an email seems to originate with IT, be wary – there are people who send emails pretending to be your corporate IT, demanding that you download and install a file ‘immediately’. This is a red flag that could indicate an attack.
- Never provide sensitive information, such as financial or customer account data, to an inbound caller until you have been able to verify their contact details. Have a manager verify the person’s identity before proceeding. Hackers often exploit your sense of urgency so you don’t have time to focus on your suspicions. Before you realize what is happening, the damage is done.
2. Only keep sensitive information on company-approved devices.
- Personal devices may not have the same security features that your company implements. Your IT department will have encrypted hard drives for you to use that make a lost hard drive useless to anyone who finds it.
3. Do not click on links without verifying where the link actually goes, especially if the link is shortened.
- Hackers will send emails from domains that look very close to websites you recognize. You might get an email from firstname.lastname@example.org, a fake site set up by a hacker, with a link that looks legitimate to change your password. If you mouse over the link (without clicking it) you see that they’ve just made the link look real. Always mouse over links to see where they actually go before clicking.
4. Never download and run a file you’re not sure is legitimate.
- Sometimes hackers will send emails from companies you may actually work with, or think you recognize. These hackers often send file attachments you can see, like a pdf or word document, and attachments you can’t, like tracking pixels. This is the primary means hackers use to launch a ransomware attack, in which they take control of your data and bring your business to a dead stop.
5. Enable Multifactor Authentication (MFA) for as many accounts as you can.
- Even if a hacker steals your password, MFA can help ensure they can’t access your accounts. MFA will force you to provide additional verification whenever anyone tries to login with your password. Make sure to only verify the login if you know it’s you trying to login.
These are just a few tips to stay safe. You might not always be able to stop sophisticated hackers from breaking through your company’s defenses, but you can stop the 15-year-old in his mom’s basement (much more common). TMP is committed to security, and in addition to having multiple third parties auditing our security controls to ensure our and our clients’ data stays safe, we take user education and vulnerability testing very seriously.
We’ve just launched https://www.tmp.com/security, where you can see some of our compliance accomplishments, request more info on our security practices, and report any vulnerabilities on our systems that you find. Visit the page and take a look around – I promise, you’ll sleep better for it.