8 Effective Information Security Measures to Safeguard Your Firm
Cybersecurity threats continue to evolve as cybercriminals become more sophisticated, even using advanced technology, such as artificial intelligence (AI), to carry out their scams. They also try to exploit human vulnerabilities, duping their targets into revealing sensitive information by clicking on questionable links or responding to phishing emails. In fact, human error accounts for up to 95 percent of security breaches.
So, what information security measures can you take to keep your clients’ and your firm’s data safe? These eight steps can help ensure that everyone is prepared when threats arise.
1. Keep Your Policies Current
Your information security policies should address all your business security concerns and practices, including client identification and authentication, document shredding, and device encryption. Make sure your staff has easy access to these policies and review them on a quarterly or annual basis to keep them relevant.
2. Make Sure Devices Are Secure
Requiring smartphones to have full-device encryption and strong lock screen passcodes (ideally, six digits) will help mitigate data breaches. When working remotely, employees should always use the firm’s virtual private network. Also, make sure they know about the risks—and your preferences—when connecting to potentially unsecured or public Wi-Fi networks. Finally, remember to back up all information to company devices for faster recovery in the event of an attack.
3. Help Avoid Phone or Text Message Scams
Anyone answering the phone or responding to a text could potentially be the weak link that opens your business to a breach. Potential phone scams (vishing) have evolved to the point where AI or voice-cloning technology can enable someone to sound exactly like the client they’re impersonating. Text scams (smishing) may make an unusual or irrelevant request or seem to come from a client who rarely communicates with your firm this way.
To help defend against fraudulent transactions, let your team know how to recognize a phone scam and how they should proceed:
Verify callers. When a call comes from an unknown number, ask for a name and the reason for calling. If they’re unwilling to verify their identity, call back using the phone number of record (e.g., your client’s number on file).
Stay alert. If a caller requests sensitive information about your client or firm, remember to question its legitimacy. If you can’t verify their identity, request an in-person or videoconference meeting.
Request a call-back number. A legitimate caller is likely to oblige, and you can independently verify the number before calling back.
4. Prepare Employees for Phishing Emails
Phishing, or scam, emails are the most common type of cybercrime reported to the FBI—accounting for 90 percent of all cyberattacks. Advanced spam filters and antivirus software may help, but the most effective means of reducing your phishing risk is to share the signs of a problematic email with your staff, which includes:
Unexpected requests
Pressure to take action
Typos and poor grammar
Requests for sensitive data
Let the team know what to do if they come across a questionable email:
Never click on an unfamiliar link. Always open a new browser window to log in to accounts.
Delete suspicious emails. Forwarding them increases the chances that someone will click on a bad link.
Verify the sender. Research the official website of a business or individual before responding.
5. Train, Train, and Retrain
Information security measures should include training for new employees as well as ongoing reinforcement of the policies and best practices you’ve adopted. That way, new hires will understand your firm’s security practices from the get-go, and it will reinforce secure habits for seasoned employees.
To get started:
Make a plan. Identify the goals of your information security awareness program and how you will achieve them.
Create a calendar. Schedule when different phases of your training will take place during the year.
Share your plan. Demonstrate your commitment to starting and maintaining your program so everyone is on the same page.
Check your tone. Keep your staff aware of the risks without sharing “shock value” material to get their attention.
6. Take Advantage of Cybersecurity Training Software
Security education software programs can provide training (e.g., interactive games, presentations, and videos) to help prepare your staff for incoming threats. Some programs include simulated phishing tools to create fake emails. Knowing how many people clicked on them will provide a baseline of your firm’s security awareness and can make your training more effective.
7. Keep Up to Date on the Latest News
Share news that may be pertinent to your firm, such as a breach in the software you use. Also, compile any major headlines into a newsletter or a Microsoft Teams chat. These updates may alert staff to something they didn’t know and will help keep security top of mind without interrupting anyone’s workday.
8. Know What to Do When an Employee Leaves
Ensure that you collect any company property, keys, and passes that terminated employees have in their possession. Remove their ability to access any third-party vendor accounts, and change any passwords they may know.
Your Employees Are the Key to Staying Safe
Implementing effective information security measures will help your staff recognize the signs of an attack and know how to respond. By training them, reinforcing that training at regular intervals, and keeping them aware of new threats, security awareness will become second nature to everyone at your firm. And that will do more to keep you safe than even the latest software. SOURCE