Business Team Cybersecurity
Let’s talk about what you can do to develop a business team full of cybersecurity Warriors. The BEST warriors. The kind of cybersecurity-conscious team that can help you detect and prevent threats.
At IT Ninjas we believe that training people to effectively protect themselves will in turn help protect your business. We focus on personal cybersecurity habits. If you have good cybersecurity habits in your personal life you’re more likely to practice them in your business life as well.
To be blunt, you can whip someone into the lowest level of compliance according to your company’s cybersecurity policies, or you can train them to see the value of cybersecurity in their own lives. In turn, they will push the boundaries of your policy and ask what else they can do to improve your cybersecurity posture.
We all fundamentally know we’re responsible for our own personal cybersecurity, but at work, we act like cybersecurity is someone else’s job. Why is that? Are we all really just assuming IT will take care of it?
Getting to a high level of accountability regarding cybersecurity is a people, process, and governance issue. Still, cybersecurity for small business doesn’t need to be complex. It’s all about fundamentals and good habits. Let’s talk about some basic, affordable cybersecurity habits and solutions for developing your business team.
Stop Sharing User Accounts
I cringe every time I see this. Many receptionists or front office staff share a computer and a number of system logins. Some businesses choose not to assign individual emails to users and instead have them share.
There are situations where sharing passwords securely makes sense. They are rare and require a mechanism to be shared securely.
The more people know a password, the more vulnerable it becomes. People trigger breaches. By sharing login information you’re poking holes in your cybersecurity to gain a little convenience. You are multiplying the chance that a breach will occur.
Shared logins also provide no audit trail. You cannot determine who did what, and where. The best you can do is implicitly identify who was most likely responsible for the situation. This may be OK for most scenarios, but it will not hold up in the face of litigation.
The Impact of Sharing Logins
It is likely in these scenarios that there will be a post-it or some notepad full of passwords somewhere in the workspace that can be easily accessed and exploited. It is an absolutely terrible habit to write passwords down and leave them on your desk. This is further compounded if you reuse passwords. Anyone who accesses your desk and knows your personal email account can now access your other accounts.
A whopping 95% of survey respondents share up to 6 passwords with other people and 59% are re-using passwords.inc.com
Those are bad numbers for business team cybersecurity. Stop writing passwords down and leaving them on your desk.
There is literally no good reason to share computer logins and email accounts. It’s unnecessary. Setting up an account properly takes 2 minutes at best.
What about accounts with more expensive licenses? Some systems cost hundreds of dollars per license. This is yet another area that a password manager can help you.
Most business-class password managers have a secure sharing feature. This will allow you to share the password to these expensive systems amongst a group of approved users and also provide an audit trail. You can review who accesses the password, and when.
Small businesses tend to have little to no Governance. Specific to cybersecurity, a great place to start is to have very basic policies in place. Governance is an area that can contribute directly to your antifragility.
Governance and how your business is enforcing its policy documents are huge factors in your company’s culture. Anyone who worked at enterprises with poor governance will attest that the culture in these companies tends to be bad, extremely tribal, and self-defeating.
First, you need to develop and enforce an Acceptable Use Policy, or AUP. This is a policy that outlines the allowed and prohibited activity an employee can conduct during business hours and on company devices. It can include things like specific disciplinary actions for those who share user account information with their co-workers.
In addition, a Bring Your Own Device policy, or BYOD policy is critical if you are allowing personnel to use their personal devices to conduct business in any way. In some cases, remotely wiping a personal device can become necessary to protect sensitive company data. This wipe will also delete all of the person’s personal data on the device. As you can imagine, that can turn sour in a heartbeat if the employee did not agree to that outcome.
It also helps to do the uncomfortable exercise of analyzing industry-specific threats and breaches you may have experienced. Governance can take you from resilient to antifragile.
As you gain experience you can refine your policies, which makes them stronger.
Also, put an Incident Response Plan in place and follow it. You’ll thank me later.
Last, but far from least, hold a routine briefing with your team. You should already be doing this for other matters, and you can easily add 5-minutes about cybersecurity to it. Depending on your industry, there are usually monthly newsletters on emerging technologies and cyber threats. You can also just reiterate the basics, like the things that we talked about today.
Business team cybersecurity starts with leadership. That means you’ll need to get in front of your team and lead with regards to cybersecurity as well.
Cost Myth Busted
I’m going to briefly outline how much everything that I proposed in this and the last 3 blog entries costs. We’ll use a small, 10-person business as an example.
Most of what we talked about were habits and the dos and don’ts. The few systems we did talk about we’re:
- Password Manager
- Enhanced Email Security
- Phishing Simulation and Awareness Training
I’m also going to use a general, retail price tag for all of these systems. However, one of the bonuses of working with an MSP like IT Ninjas is that we can get you software discounts.
Let’s take a look at the cost of each:
- Password Manager – Lastpass – $6/user
- Enhanced Email Security – Ironscales – $6/user
- Phishing Simulation and Awareness Training – Ironscales (Ninjio add-on) – $1/user
- Total Cost per user – $13/month
Now let’s take that cost and multiply it by 10 users, and we land right at $130/month. You’ve gained 3 critical cybersecurity components: password management and secure password sharing, gateway and mailbox-level email security, and automated training. That’s a lot of bang for your buck.
The last time I checked the median ransomware payout was $270,000.00. For most small businesses, that would be the kiss of death. My personal, very biased opinion is that almost any small business can afford $130/month to protect itself.
I’m calling this myth officially busted.
Look, cybersecurity can be a big scary topic. But the more you address it, the more confident you will become in your cybersecurity posture.
I hope you enjoyed this series of articles. I also sincerely hope that what we discussed today helps you and your team protect themselves. Thank you.