6 minute read
Combating Cybersecurity: Don’t Leave Your Digital Door Unlocked
Combating Cybersecurity Risks
Don’t Leave Your Digital Door Unlocked.
BY PAUL BANUSKI
Paul Banuski is a human resource consultant for HR One, a full-service payroll and human resource consulting firm. For more information, call the company’s Helpline at 1-800-457-8829. This article was used with permission from HR One. O ne question I love to ask employers is, “What is your greatest organizational asset?” Almost invariably, the answer they give me is, “Our people.” And it’s true. People represent one of the greatest assets most businesses have. Then, I flip the question around. “And what’s your greatest liability as an employer?” And, amazingly, the answer is usually the same. “Our people.” Between payroll, benefits, and administration, employees represent an enormous portion of company resources. And that’s before you consider turnover, absenteeism, disciplinary issues, insurance claims and unemployment costs.
Then, there are the cyber security risks…
Organizations large and small have been the target of various hacks, ransomware, viruses and other forms of cyber attacks in the past few years. These attacks can cost millions of dollars to fix. According to international insurer Allianz, cyber attacks have been on the rise every year since 2016, and the claims paid in that time total nearly $900 million. While there are individuals and networks of savvy criminals ultimately responsible, more often than not, they’re able to find their way into a company’s network because an employee has left the digital door unlocked.
Employees don’t mean to do this, of course. But, sometimes they make a mistake and forget to follow security procedures and protocols (assuming, of course, an employer has those safeguards in place). And some cyber criminals aren’t looking for a seven-figure payout; they’re comfortable targeting smaller organizations for smaller amounts of money.
For example, in 2019 the Onondaga County (NY) District Attorney’s office warned of a payroll scam targeting employers using fraudulent email addresses to have direct deposit information changed from an employee to an account set up by the scammer or from hackers using an employee’s account to redirect the paycheck. The district attorney said in a news release, “These requests may look valid, since they often come from the employee’s actual email account which has been compromised, or a spoof email that is designed to appear similar to the user’s email handle (for example, using the number “1” in place of a lowercase “L”). Alternatively, the request may use the appropriate internal organizational forms to change banking information lending the appearance of credibility.”
But sometimes the trick isn’t even that devious. It’s not necessarily a nefarious genius with a high-tech set-up trying to hack your employees or your company. It’s just that too many people volunteer important information on social media and make it easy for people to commit crimes of opportunity.
Think about it. If you have online accounts to manage your banking, credit cards, or payroll, consider the password security questions for those accounts. Often the questions that must be answered when you reset a password on a website are about first cars, names of favorite teachers or pets. Take a quick glance at your Facebook feed and see how many people just in your own network give that kind of information away to
the world, either by having a public account or by voluntarily sharing that type of information in various polls or surveys.
There are two primary actions that an organization can take to reduce its risk of being caught in scams like these.
ESTABLISH PROCEDURES
Your organization should have procedures in place for managing transactions like changing direct deposit information, wire transfers and even address changes. If you aren’t using an employee self-service payroll platform, you can require employees to make requests to change direct deposit information in writing using an internal form. Verify all requests with the employee before making any changes to someone’s account. Any deviation from established procedure is at least a warning to be vigilant for a scam.
EDUCATE YOUR ENTIRE TEAM ON SECURE COMMUNICATIONS
It’s not enough for the HR manager or payroll administrator to use best practices if employees are susceptible to having their email or a payroll self-service account hacked. Require employees to use strong passwords when setting up accounts and to change those passwords on a regular basis. Experian, the credit bureau, offers tips for generating strong passwords. Make sure your employees know the procedures for making a change.
One technique that all employers should be using when it comes to their payroll services is to make sure they offer two-factor authentication before someone can log-in to their accounts. Two-factor authentication requires not only a user ID and password but also the use of a verification code that is sent to the person’s cell phone as a text message.
Sometimes steps like this can appear cumbersome, but they are well worth the extra few moments to protect your organization and your people.
(Source: Allianz: Companies need to strengthen cyber controls to counter ransomware pandemic https://www.agcs.allianz.com/newsand-insights/news/cyber-risk-trends-2021-press.html October 13, 2021)
CREATING AN EFFECTIVE PASSWORD
We all know it can be mind-boggling to create and remember every password to each account we have, but it is critical to keeping your information safe. However, taking the time to do so can be the difference between keeping your information secure or making it all too easy for someone to access your information. According to Experian, over half of data breaches involved weak, stolen or default passwords.
Here are some general tips for creating a stronger password: • Use longer passwords: The longer the password, the harder it takes for hackers to crack the code. According to CSO, which provides news, analysis and research on security and risk management, a 10-character password takes years to figure out, whereas an 8-character password can take only minutes. • Include special characters: Some hackers search for passwords using common words, so mix up your passwords with special characters (e.g., $ instead of
“S”), a random capital letter or symbol in your password (e.g., W31d1ng&Gas3s! instead of weldingandgases). • Use a two-step authentication process if available.
Yes, it takes a few minutes to set up, but it will be completely worth it if it avoids you being hacked.
Not only will you set up a password, but you’ll also
have to provide your fingerprint or access a code texted to your phone in order to sign into your accounts. This adds another layer of protection from hackers. • Don’t use the same password for every account. Again, passwords can be hard to remember, but do your best to use different passwords for every account. Try to create passwords that are unrelated, too, so that one hacked account doesn’t give a clue to your other accounts. And, never create a document on your computer listing all of your passwords. Keep that separate from your electronic devices.
• Don’t include information in your password that could
easily be figured out elsewhere. For example, don’t use your house number or digits from your phone number in a password, as these are too easy to figure out. Also, avoid passwords like “12345678” or “password.” That’s practically inviting someone to hack into your account.
• Finally, don’t fall for those surveys on social media.
Surveys, particularly on Facebook, that asks you to answer ten or more questions like “What’s your pet’s name?” or
“What’s was your first car?” These might seem like fun ways to interact with friends, but they are also giving out specific personal information that a hacker might find very useful.
