Basic Internet security training for your staff

Technology has changed the way we do business. Most businesses use the Internet and email for storing and archiving sensitive data, interacting with customers and even for co-ordinating banking, payroll or other services.

Cyber crime has developed and advanced alongside these technological improvements, which means your business is at risk unless you train your staff and take steps to protect your information. Whether you have one or many computers connected to the Internet, understanding the types of cyber crime and training your staff to spot potential scams are key to keeping your business free of attacks.

On this page:

• Understanding cyber crime
• Internet and email threats that can harm your business
• Where your employees can be the weakest link
• Developing a company Internet policy
• Implementing a company Internet policy Top

Top

Understanding cyber crime

The most common types of cyber crime - a broad term used to describe many different illegal or illegitimate online activities - include identity theft, fraud, spreading obscene material, unsolicited or ‘spam’ email, and spreading computer viruses or malicious software known as ‘malware’.

According to the New Zealand Police and the  Ministry of Consumer Affairs, 70% of New Zealand adults have been the target of some kind of cyber crime, most commonly Internet or email scams, fraud, or virus or malware attacks. Astonishingly, New Zealanders lose up to $500 million each year owing to international scams and fraud, with the majority of these being cyber crime.

The good news is that by understanding the threats and establishing some simple online guidelines for employees, you can be confident that your business has good systems in place to defend against cyber crime.

Top

Internet and email threats that can harm your business

Technological advances in malware, spyware and computer viruses have made it easier for cyber criminals to hack into computers. As a small business, you probably think it won’t happen to you, but SMEs often have less sophisticated IT security measures compared with larger organisations, making you an easy and attractive target.

Cyber criminals will look to access information to use illegally for financial gain. They might try to find out your company credit card details to go on an online shopping spree, or attempt to obtain your bank account number and online access details. Company databases containing customer data are another popular target for cyber criminals. These are either sold on to other criminals or used directly to commit identity theft and fraud.

Intellectual Property (IP) theft and industrial espionage – the act of one company trying to spy on another for gain – are also on the rise. You can reduce your exposure to these risks by limiting staff access to information on a need-to-know basis, and making your employees aware of the risks of IP theft and espionage to prevent staff unwittingly providing sensitive information. Also be on the lookout for staff using portable storage devices – memory sticks, USB drives and anything else that can be plugged into the USB socket of a computer to download information. A typical USB flash drive is the size of a house key and can contain up to 8 gigabytes of information (enough to store at least tens of thousands of word documents, depending on the average file size).

Malware is usually downloaded without the user’s knowledge as an attachment to programs, such as toolbars and even bogus anti-virus software. Most malware bugs transmit data over the Internet, including your browsing habits and other personal information. Even more dangerous forms of malware can contain key logging software that takes note of keys entered on websites. This is used to guess online banking and email passwords. You can reduce your exposure by asking staff not to download programs and installing modern anti-virus software to detect and remove malware.

In addition, you can ask staff to review any passwords they use to access their workstations. Strong passwords are long (typically 7-10 characters), contain both upper and lower case words and numbers, and aren’t similar to other passwords staff might use to access personal sites such as Facebook or for an online banking website. These passwords must then be regularly changed every few months.

Many viruses are spread as email attachments that appear to be harmless. Often an email will encourage you to open an attachment by pretending to be a joke, video clip or photograph. Teach staff to never open attachments or click on links in emails from unknown people. If in doubt, don’t open an attachment even if it is from a friend or colleague – infected files can be forwarded to contacts without the sender being aware.

Unsolicited or ‘spam’ email might not seem like a problem if you don’t open spam messages. However, if your staff use their work email accounts for work purposes only, they shouldn’t be getting much spam in the first place. Make it clear to your staff that they should not use their work email accounts for personal correspondence. In addition, you can use a server-based spam filter as another way to stop spam reaching your business’s inboxes, but you will need to periodically check that real messages haven’t been filtered there.

Internet security doesn’t end with your work computers. Working from home or using mobile broadband or WiFi hotspots also exposes you to potential threats. Make sure every device connected to the Internet has the latest software updates and anti-virus protection.

Top

Where your employees can be the weakest link

Internet and email scams can be easy to spot but in recent years cyber criminals have gone to elaborate lengths to try and seem as plausible as possible.

Cyber criminals often manipulate unsuspecting employees into divulging sensitive information through a variety of means, the most serious being phishing.

Phishing is a way of retrieving personal information, credit card numbers or passwords by fraudulently claiming to be a trustworthy person or organisation. Common forms of phishing include email messages claiming to be from your ISP or bank requesting passwords or pin numbers. These emails often look authentic, emulating the look and feel of the real site. Phishing can also happen over the telephone, with the attacker pretending to be from your company’s IT department or bank.

Other ways your Internet security can be compromised include:

• By downloading material such as bogus anti-virus software that contains malicious software. As a rule, staff shouldn’t install downloaded software without checking with an IT professional. Many free programs contain malware or viruses. Ask your network administrator to lock users from installing downloaded executable files.
• By using Peer-to-Peer (P2P) or file-sharing networks such as BitTorrent at work – this content might contain viruses or other software.
• When receiving messages forwarded from friends and family that contain viruses. If the sender is infected, messages are often forwarded on without the sender’s knowledge. If in doubt, delete any strange messages and never open attachments.

Top

Developing a company Internet policy

Training your staff to avoid the pitfalls of inappropriate online use can be as simple as developing a company Internet policy with guidelines for safe practice. The benefits of this type of training include a reduction in the risk of security issues arising and improved IT and online skills in your staff.

Download this free Internet policy template and adapt it to suit your company’s needs. The template contains examples of threats and guidelines for reducing risks when working online. You can also use this article to introduce the topic to employees. Finally, don’t forget to make explaining your company Internet policy part of the induction process for all new employees.

Implementing a company Internet policy

It is important when writing the policy to clearly state who is responsible for implementing the plan and carrying out ongoing monitoring. If your business has more than a few staff or uses a departmental structure, be sure to include a timetable for implementation so everyone stays on the same page - communication is the key.

Given the high speed of development in the IT industries – and the fact new viruses, scams and malware are detected all the time – it is best to do as much as you can to stay informed about the latest threats. One easy way to do this is to sign up to Internet security newsletters such as this one from Microsoft.

From there, it’s just a case of regularly reviewing the policy as online threats are detected, or at regular intervals.

This information is provided by Business.govt.nz