3 cybersecurity questions to ask for your business - and your love life
The helpful folks at the National CyberSecurity Alliance put out a lovely tip sheet on how to avoid online romance schemes this Valentine’s Day. It includes good tips, including checking your account settings to see what you are revealing about yourself publicly and being particularly wary of any messages you receive asking you to click a link or provide personal information.
These are great tips for the wayward romantics out there, but they are also great tips for general cyber security and protection. I was especially drawn to this portion of their tip sheet.
If you take the word “me” and replace it with “my company,” this is a really good exercise that you can do at any time to evaluate the cybersecurity of your company’s social media.
How could a scammer target my company?
Why would a scammer choose to target my company?
What information could a scammer use to target my company?
I’d encourage you to put these three questions somewhere where you can see them and review them with your team periodically. A couple of points to highlight here:
Remove the blinders. Regardless of what your company does or how big it is, that does not mean you are immune to a cyber attack. A great recent example is the water treatment plant in Florida that was hacked in the lead up to the Super Bowl last weekend. I am certain there were a lot of higher-priority and flashier targets in that general area. But hackers looked intentionally for a more vulnerable and probably less-well-guarded target. In fact, being a smaller company may make you a more likely target. You can’t just assume because you aren’t a Fortune 500 company that cyber criminals won’t target you. And if you are a Fortune 500, cyber criminals are definitely targeting you.
Cybersecurity is something that requires constant vigilance. Many people make the mistake of assuming they can do a cybersecurity exercise and then they are done with it at least for another year or two. But the internet is not static. Technology changes all the time, pretty much daily. Think about how frequently the apps on your phone update. And since the risks change all the time, so do your vulnerabilities.
Cybersecurity is a team activity. I would highly encourage you to pose these questions to your team regularly. It gets people thinking about cybersecurity and seeing things from outside of their typical role. It asks people to think like a criminal and to identify risks before they become problems. Asking these types of questions regularly brings cybersecurity to the forefront and it also tells people that it’s OK for them to raise their hand if they feel there is something that could be done in a more secure manner. Especially if your organization is more than a couple of people, it is very likely your front-line employees who know where the risks lie better than you do. You should ask them and encourage them to speak up.
Think like a hacker. One of the keys to answering the three questions above is to think not like a CEO or business leader, but to think like a hacker. What information is publicly viewable that maybe shouldn’t be? Where are your vulnerabilities? Which tools are you using, and are you sure they are secure? How do you know? Are there ways hackers could compromise your email system, internet, home Wifi networks of employees working from home or your physical office space? Are your employees using personal devices to conduct company business? Do you share passwords in ways that are not secure (like emailing them back and forth)?
Practice makes perfect. Major corporations do phishing exercises, where their IT or cybersecurity teams send an email that looks legit and often contains a link to click, an attachment to open, etc. They test how many employees catch and report the scam and report out results by department. (Note, this means that there is an official process for reporting such scams.) Even if you run a smaller company, this could be an interesting method to model. A great way to raise your employees’ awareness of cyber scams is to help them learn to identify them with real-world exercises before they are targeted by actual scammers.
So, certainly, if you are looking for love, please heed the excellent tips from the CyberSecurity Alliance this Valentine’s Day weekend. But if you are a business owner looking for cyber safety, please heed these tips year-round as well. And if you’re looking for more tips, check out the Governance portion of my website for additional posts about how companies can keep their social media safe.