Old habits might die hard, but if you want to adhere to cybersecurity best practices, they have to die—now. Your employees might be putting your firm at risk and not even realize it. That’s because some of the reflex actions they rely on in certain situations are a lot more dangerous than they used to be.
Something as simple as a phone call, voice mail or video chat could be a cyberattack in disguise. And email is such a minefield that it’s better not to use it all, or, at least, use it very sparingly. The best way to ensure firm security is to run applications in the cloud, protect your devices and train your employees to avoid cyberattacks.
Cybersecurity best practices: 3 habits you need to break today
But first, starting now, you need to make sure your employees embrace cybersecurity best practices and break a few bad habits.
1. Sharing files via email or portable storage devices
It really can be this simple:
- Your firm receives a referral email from a client about a prospective client.
- Your employee immediately contacts the would-be new client.
- The prospective client sends your staffer tax information via an email attachment.
- Your employee clicks on the attachment, which wasn’t from a prospective client at all…it was from a cyberattacker!
- The attachment launches malware into your firm’s network.
A malicious actor posing as your customer has now gained access to all of your clients’ data using the tried-and-true “new client” spear-phishing attack method. And you don’t even know it’s happening. What happens next? Who knows? Maybe the attacker sells your firm’s data on the dark web. Maybe they demand a ransom for its return, although you might never get your data back—whether or not you pay. In any case, it’s a catastrophe for your firm.
Simply put, email attachments are not safe. Email itself has become a very risky form of communication. The most recent Verizon Data Breach Investigations Report (DBIR), a widely recognized source on cybersecurity trends, revealed a 13% year-over-year increase in ransomware attacks. That’s a jump greater than in the previous five years combined. Two-thirds of attacks involved phishing, stolen credentials or ransomware, all of which are linked to email.
Yet, research from Right Networks found that 36% of firms use email attachments or links to share information with clients. That doesn’t demonstrate adherence to cybersecurity best practices. And other methods of file sharing are even worse. Using USB drives is notoriously dangerous, and no one in your firm should use those devices at all—ever.
The best way to share files with clients is via a dedicated cloud portal when you run QuickBooks® Desktop and other critical tax and business applications in the cloud. A trusted hosting provider will manage security for you, and you’ll be able to virtually eliminate the use of email.
2. Communicating with clients via emails, phone calls or text
Attachments aren’t the only danger lurking in email. Cyberattackers can use emails to steal your employees’ credentials and break into your network to steal data. A seemingly innocuous request to log into an application or an account via email could, in fact, be a sophisticated cyberattack. Compromised credential attacks work, unfortunately. A breach in 2021 leaked data for 8.4 billion accounts and caused fuel supply disruptions on the East Coast.
Your employees need to embrace cybersecurity best practices by using different passwords for different applications and changing passwords completely on a regular basis. Staffers who use the same credentials for multiple applications or accounts open up those applications to a breach once an attacker steals just one set of logins and passwords. Also, passwords in a series (password1, password2, password3) are extremely dangerous and easy to crack.
But the danger of client communication doesn’t end with using email. Even a seemingly benign phone call or video chat can be dangerous. That’s because artificial intelligence enables attackers to create deepfakes—convincing imitations of voices and even faces. Although such attacks are still fairly rare, simply answering a phone call with a supposed client can open the door to a cyberattack. When these attacks work, they really work (as noted in a previous post):
“In one case, bogus audio led to the theft of $35 million. One cryptocurrency executive found that scammers had successfully created a hologram of him to target unsuspecting victims. In some cases, cybercriminals have actually used deepfakes to apply for and get jobs as remote tech support staff with companies, enabling the attackers to have first-hand access to critical customer data.”
What are the habits your employees need to break? Random phone calls or even video chats now carry the potential to be dangerous. If a call comes from an unfamiliar number—even if a client’s name pops up—call the client back on a trusted number to make sure the call was legitimate. The same goes for video. If a random chat alert appears, contact the client via a trusted method, such as a cloud portal, rather than immediately answering.
And if you text with clients at all, be especially careful. Smishing attacks (phishing via text message) are on the rise and extremely effective because many users tend to text back without looking closely at the message source. Again, employees should look closely at the number associated with the text and contact the client at a trusted number if they have any doubts about the veracity of the contact.
3. Careless use of Wi-Fi and personal devices for work tasks
The secure Wi-Fi network at your client’s office is safe, right? Maybe. But if your client’s network isn’t sufficiently secure, there’s no way to know for sure. As part of cybersecurity best practices, you and your employees are better off using a 5G hotspot on your phone to connect to the internet.
The same goes for just about any remote situation. Obviously, open Wi-Fi networks are unsafe. But even if a network has a password, it could be compromised. A hot spot is the way to go. Break the habit of connecting to Wi-Fi automatically.
Along those lines, remote work has revolutionized the operations of many firms—in many ways for the better. However, working at home greatly increases the risk of a cyberattack, in part because employees have a bad habit of using personal devices to access client files. Laptops or tablets that kids play games on could contain malware, which could end up on your firm’s network if an employee accesses your system with a compromised device.
To follow cybersecurity best practices, only allow remote employees to connect authorized equipment to your firm’s network. Either mandate that employees use firm-owned devices at home, or carefully verify security settings if employees use their own devices. Never let an employee attach a “rogue” device to your network. And don’t do it yourself, either. If you’re in the habit of logging in from an unprotected home device, break that habit now.
Embracing cybersecurity best practices is easier in the cloud
When you run critical applications in the cloud, you can break some of your cybersecurity habits without even really trying. That’s because the hosted model provides a safer environment for your data and applications than a perilous combination of email and rogue smartphones. For starters, a hosting provider will monitor application security for you and update apps when necessary. You don’t have to do anything.
In the cloud, you can establish a portal with each of your clients so that you can share information in a protected environment rather than via email. Taking email out of the equation boosts security significantly. A cloud provider can monitor for security breaches and mitigate damage immediately if one occurs. With a client portal, your employees can establish a primary method of client communication, and more easily spot and avoid deepfake attacks and smishing attempts.
A good cloud provider will also offer multifactor authentication (MFA), which requires users to confirm their logins on a different device and greatly reduces incidences of both phishing and compromised credentials. MFA is effective in preventing data theft because even if a cybercriminal steals a user’s data, the attacker won’t be able to simply log into the user’s accounts through a single source. The second level of authentication stops a lot of would-be data theft.
Replacing bad cybersecurity habits with cybersecurity best practices
There are two other measures your firm should consider when moving to the cloud:
- Protecting devices. A cloud provider can offer additional security for the devices your employees use every day. This protection goes beyond safeguarding your network and enables you to monitor and safeguard devices. For instance, the computers your employees use to access QuickBooks Desktop in the cloud.
- Security awareness training. According to the Verizon DBIR study, more than 80% of successful data breaches involve human error. Your people are your first line of defense when it comes to protecting your data. The right cloud provider can teach them to spot and avoid cyberattacks and ward off trouble before it starts. Educated employees are far less likely to commit the errors that lead to cyberattacks.
It’s not easy to break long-standing habits, but it’s necessary. When you run your firm’s apps in the cloud, you provide yourself and your employees with the best possible environment to break bad old habits and develop good new ones.