How to Keep Your Employees from Being Your Biggest Security Risk

August 25, 2017

Employees in a small business are a soft target for cyber criminals. How do you protect your business?

When it comes to your business's security, employees can be your weakest point.

Employees make a soft target for cyber criminals to take advantage of. Phishing emails and other types of attacks may target workers deliberately, in an attempt to make them give up login credentials or unwittingly reveal sensitive information.

For that reason, it is important to take the necessary steps and precautions to educate workers and develop workplace policies. Systems that workers use should be hardened and protected, to avoid security breaches and catastrophes. You'll also want to take steps so that former employees don't pose a security risk.

Here are some steps small business owners can take to protect the business.

Establish Policies and Train Employees

Take the time to educate employees so they are aware of the risks and what to do. Simply by talking about the importance of data security and safe browsing, employees are more likely to make it a priority.

Develop policies for worker cyber security. Spend some time going over common security issues and how to avoid them, including the following:

  • Learn to identify and avoid being tricked into clicking on and opening phishing emails. Often there's something "off" about a phishing email, or if scrutinized the links can identify if they are from an unofficial sources.
  • Don't click links in emails unless the employee is sure where the email came from or is expecting the communication.
  • Never give out passwords in emails. Ever.
  • Scrutinize any communication that asks you to log in and provide sensitive information in any account. These can lead to fake sites designed to harvest sensitive information.
  • Use strong passwords with combinations of lowercase and uppercase letters, numbers and characters. Do not use passwords that are easily guessable. The harder it is for cyber criminals to use a dictionary attack or other means to figure out passwords, the more likely they will move on to some other softer target.
  • Use browser settings that block or show a warning before visiting sites with malware. For example, Chrome has an advanced setting to "Protect you and your devices from dangerous sites."
  • Don't download software from unofficial sources. Malware can take a ride alongside it.
  • When using devices for business purposes while traveling, avoid free unsecured WiFi. Consider setting up a VPN for workers to connect to company systems, and instruct them how to use it.

Protect Systems Employees are Using

If systems that employees use are insecure, then by definition your business is less secure. It is therefore crucial that systems be hardened and protected. The following are some basic steps to take as it relates to systems that employees use:

  • Install anti-virus protection on all systems and devices for workers. If your company runs off of Windows 10, remember that Windows Defender, Microsoft's security software, is integrated for free. But you can also install other security software to protect systems. Make sure the software is set to update virus definitions and scan automatically.
  • Back up business data on all devices, apps and servers. If you use cloud backup and cloud storage which automatically syncs and backs up work, your business data and records will be protected in the event of hardware failures or user error.
  • Make it company policy for every personal device employees use for work to have anti-virus software installed to keep your company data safeguarded. This is especially important given the "bring your own device" (BYOD) trend today.
  • Use cloud software from established vendors. Large vendors typically look out for security--more than a small business can afford to do.
  • Set hardware to automatically install operating system software updates. Operating systems are routinely patched for security purposes, and such updates are important.
  • Require remote wipe/lock protections for mobile devices issued to employees. That way, if a device is stolen or lost, you have control from a distance.

Disable Access When Employees Leave

I'm always shocked that when employees leave, companies may overlook disabling access to systems and data. Here are some steps you should take following an employee's departure or when you stop the services of a contractor who had access to your systems:

  • Disable the worker's access to all company systems. Either remove the worker as a user or downgrade/block access through administrative control. Don't forget cloud software applications and social media accounts, as well as central cloud storage.
  • Disable company email addresses and forward them to a company administrator, as some systems may allow access to anyone with a company email address (such as G Suite document storage under certain circumstances).
  • Require all company-issued hardware to be turned in on the last day of work. And make sure it's wiped of accounts or passwords before re-issuing to another worker.
  • If the employee had access to company passwords or administrative passwords, change them, particularly following the departure of IT personnel.
  • Cancel any company credit cards, travel accounts, or expense accounts.

Remember, even by taking the above precautions, not all security issues can be predicted. But basic steps like these will make your business more secure.

This article originally appeared on Inc.

Even the best employees can unknowingly be a security risk.

Locked Content

Click on the button below to get access

Unlock Now

Or sign in to access all content on Comcast Business Community

Sign Up

for our newsletter


Learn how Comcast Business can help
keep you ready for what's next.



for our newsletter