It sometimes seems that every time you check the news, you read about yet another company that has been hacked, or had its data breached. But how do those breaches occur? And who gets hacked? And why?
A recently published study decided to look into all the hacks and data breaches that have affected Fortune 500 companies over the past decade. Fortune 500 companies are the best and brightest of the business world, employing the smartest and most capable people around. They have huge budgets at their disposal to invest in anything they like – including top-of-the-line cybersecurity.
So, if even they get hacked – is there any chance for the rest of us? The answer is yes. While more than one out of four companies in the Fortune 500 list were hacked, many of those hacks were preventable. Fortune 500 companies, like all of us, make mistakes. Looking back on these mistakes, some of them are almost laughable.
After plowing through the data, we’ve compiled some of the most common reasons for the hacks, and, more importantly, what your small business can do to prevent falling prey to the same mistakes.
Employees Are A Company’s Greatest Asset – And Curse
A company cannot exist without its workers – that’s a given. But as much as workers are an integral part of the company, they are also the ones most likely to take the company down – at least when it comes to online security.
The news is dominated by stories of scary online hackers – geniuses who wield enormous (and menacing) powers from down in their basement. In reality, however, the most common reason for data breaches is a company’s employees.
Take CitiGroup, for example. In 2010, 600,000 CitiGroup customers were shocked to find that their Social Security number was printed on the outside of the envelope sent to them with their annual tax documents. Amazingly, none of the workers who worked on the annual tax documents noticed the gaffe.
A mere three years later, Citi’s employees again caused embarrassment to the bank. 150,000 of its customers who had filed for bankruptcy found their details – including their social security numbers – online, after an employee accidentally published the database without hiding the sensitive data.
Coca-Cola also found itself in hot water due to employee negligence. In 2017, the conglomerate reported that the personal details of close to 3,000 individuals were leaked, after an employee opened a phishing email.
While human beings are prone to making mistakes, it doesn’t mean that you can’t train your employees to identify and prevent those pitfalls.
The first thing you should do is establish a cybersecurity policy and appoint a person in charge. Make sure the person is aware of the importance of the position, and won’t see it as an additional burden. He or she should also have the appropriate position within the company to be able to command authority.
The policy should state clearly that any suspicious email should be immediately forwarded to the person you appointed. It should also include strict and acceptable ways for employees to access data: Can they do so from their own home network? Should all the information in the company be shared? What access to data to you give out to your freelancers and/or remote workers?
Create quarterly trainings for employees on cybersecurity: How to spot email phishing, safe access to private data, storage (and access) to sensitive data, and more.
Try to make the trainings as engaging and interactive as possible. Try quizzes for example – there are a ton of free quizzes around, including this one from Google.
Make Sure You Do Your Due Diligence On Your Suppliers
Not all the Fortune 500 companies that were hacked were hacked on account of their own missteps. In quite a few cases, the blame for the hack or data breach lay solely in the hands (or keyboard) of a third party.
Abbott, for example, just recently learned that one of its suppliers lost a portable drive, that included highly sensitive data on its employees – including social security numbers and stock options.
And, in 2018, a contractor of Aflac, notified the company that they were hacked, leading to leakage of Aflac’s customers’ data.
Your employees are not the only ones who can cause you trouble when it comes to cybersecurity – so can your contractors and suppliers. As such, as part of the due diligence that you do before starting to work with new contractors and suppliers, make sure to ask them questions about their online security do’s and don’ts.
How do they store sensitive data? If you need to share sensitive data with them, it’s not enough to ask them to sign an NDA. You can – and should – make requirements and decisions on how that data should be stored. For example, you can demand that only your contact person be exposed to sensitive data.
Keep in mind that as far as your clients are concerned, if their data leaks, it’s you who’s to blame. As such, you need to do everything you can to make sure that your data is safe – with your employees and suppliers.
Outside Threats Do Occur
Sometimes, companies do get hacked even though many of those hacks are preventable. In 2013, PNC Financial Services found itself under DDoS attack, with 5 million of its customers prevented from accessing their accounts. And, in 2017, Sears Holdings, the parent company of Kmart, reported that the retailer’s payment system was infected with malware.
It’s highly unlikely that hacking schemes will go away anytime soon. On the contrary, you should assume that as time goes by, the sophistication of hackers, malware and viruses will only continue to increase.
That’s why you should use cybersecurity apps like VPNs and anti-viruses and make they are always up to date. You should consider the costs of such apps as a necessary investment in your company’s well-being – just like insurance.