When looking at IT security threats to your business, it can be helpful to group threats into two categories: threats that result from suboptimal employee behaviour and threats that result from suboptimal equipment and software. Of course, these two categories can overlap sometimes, but looking at each separately can be a useful paradigm, even if only to serve as a kind of mental scaffolding to build new concepts upon.
Suboptimal Employee Behavior
While most of us tell our employees not to click on suspicious links, not to use work computers for personal business, and to avoid a million other sundry electronically risky activities, the truth is that without training most employees will not be able to recognize threats or how to alter their own behaviour.
Training every employee on proper internet security protocols is certainly time-consuming and can often be expensive; however, depending on your industry, it can mean the difference between success and failure. When deciding how to train your employees, it is a good idea to bring in an outside training expert. This person will know what types of mistakes employees most often make. You may think it is enough to tell employees not to click on suspicious links, but how should they recognize suspicious links? How can they identify a phishing attack if it seems to come from your own email address? An outside expert will have trained countless other people and will know where people most often get confused. The peace of mind knowing that your staff has been correctly trained is well worth the onetime cost of the training.
This training, however, is not a panacea: even assuming your employees do follow the training they receive while at work, there is a danger that they will not do so on their personal devices. This is an issue that most ventures not directly related to IT fail to think about. Most of us, if we are honest, have taken work home on a thumb drive, emailed work to ourselves, or saved work on our personal laptops or phones. In fact, it would be very difficult to run a modern business without being able to do these things. So what is the solution? You really only have two options: you can provide employees with devices specifically for these purposes that they can bring home, or you can harden their existing devices. At the very least, make sure whatever at-home devices you or your employees use have a strong firewall, antivirus, and anti-malware software in place.
Ultimately, the best way to keep control of proprietary information, passwords, and accounts is to develop a list of tasks that expose this information and then require these tasks to only be done at work. Using this method can prevent many intellectual property leaks and curtail opportunities for cybercriminals to hack into your systems.
Suboptimal Equipment and Software
The good thing about vulnerabilities in hardware and software is that they are more straightforward to fix than vulnerabilities that come from employee error. In fact, there are several software solutions that can prevent attacks designed to exploit employee errors. One of the most important of these is to use a DMARC solution to stop spoofed emails and phishing attacks before they start. DMARC (Domain-based Message Authentication, Reporting and Conformance) is the protocol that allows emails to be authenticated as genuine before they are passed on to the recipient.
Of course, any software or hardware that you are using is going to be wide open to exploits if it is not kept constantly updated. Updating software is inconvenient and frustrating to be sure, but you still must designate a set time to check and install updates on all of your IT systems. The patches these updates provide rarely make noticeable changes to the user, but they are vital to prevent hackers from using known exploits to infiltrate your systems.
Finally, almost every business will have some form of firewall and anti-virus software already in place. If yours does not, this should absolutely be the first order of business. For the vast majority of businesses, however, the question will be which firewall, anti-virus, and similar products to use. Comparing these complex IT systems can be extremely complex, but that does not mean it is impossible. There are a number of sites (Consumer Reports is always a good bet) that will help you weed through the jargon and find what is right for you.