We have recently heard of an employee falling victim to a scam that saw them conned out of hundreds of pounds, after responding to a scam email that they believed to be from their manager. Cyber scams are now all too common and your staff could be at risk if you don’t have adequate measures in place to protect them.
We would highly recommend incorporating IT security policies into your company handbook so that staff all follow the same guidelines.
Here are some of the essentials to include in your policy to protect staff from cyber fraud:
Create a secure password
Hackers are becoming more sophisticated in how they guess passwords and access systems. They can now use software that runs through numerous combinations in an attempt to crack your password.
Here are some key considerations when creating your passwords:
-
Password Length
Short passwords are easier to crack (a 3-character password can take less than one second to crack using software!). It’s recommended to keep your passwords as long and complex as possible.
-
Making your password a nonsense phrase or word
Passwords that have random words or letter combinations that are not in the dictionary are harder to crack.
-
Include numbers and symbols
Using numbers and symbols instead of letters to help make the password more complex.
-
Avoid including obvious personal details
Birthday, pets’ names, addresses, all this information is available for hackers to find online if you they are wanted to guess your password. Also, if you are asked security questions as part of systems access or password resets use personal info that is not easily available online.
-
Don’t reuse passwords or old passwords
Some hackers buy and sell data and many companies have had breaches of data and whilst you might not have been impacted at the time, they might try old passwords on new systems. Also, use unique passwords for separate systems.
-
Using a password manager to remember all your passwords and store them safely
The challenge in following all the guidelines is that it makes it hard to remember all the passwords to every system and also to store them safely. It’s recommended to use a password manager. There are numerous systems available to help securely store passwords for staff. not only ensures that the information is safe it is also accessible to colleagues during illness or holiday cover.
-
Change passwords regularly
It’s recommended to change your password every 8-12 weeks especially when using systems that access sensitive data.
Lock your device
When leaving your device unattended, or on leaving the office, you should make sure that you log off or lock your screen to prevent access in your absence. All staff should be advised to do the same.
Lost or stolen policies
You should advise your staff that in the case of a lost or stolen laptop or phone they should notify their line manager immediately.
Protecting data when sharing
Remind staff to be mindful when sharing personal data (data that can identify a person, eg their name, address, job title or salary). Ideally, anonymise data where possible and also make sure any confidential documents are password protected.
Malware
From time to time we all receive emails or texts that seem to be official but are actually attempts to get us to click on links downloading malware onto devices. If you receive an email that you weren’t expecting or contains numerous spelling mistakes, poor grammar or broken English (and that’s not what you were expecting from the sender) then do not click on any links and encourage staff to report it to their line manager.
Remind your team to double check the actual email address that the email has come from rather than just the display name. If they are in any doubt they should forward the email to the relevant IT person.
Social Engineering
Scammers have started to use other ways to get money or access to systems, social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Phishing (emails purporting to be from reputable companies or people in order to induce you to reveal personal information, such as passwords and credit card numbers) is one example. Other examples are using personal emails seeming from people you know asking for money to be transferred to their account in an emergency or for you to pay for business items for which you will be reimbursed.
Clearly brief your staff, in person and in your company handbook, that you will never email them asking for money or for them to pay for business items unless previously agreed. If they receive an unexpected email, encourage them to call the sender to check it’s from them and report any suspicious activity to their manager.
Read more about Cyber security on the NCSC website.
For support with your policies and company handbook from our team of HR Consultants, find out how to work with Bespoke HR here.