GOOD PERSONAL CYBERSECURITY PRACTICES CAN TRANSLATE TO WORK

By Becky Gillette

Edafio Technology Partners Chief Growth Officer Mark Hodges once did an informal check of how many people in a neighborhood had adequate home WiFi security. Out of 30 houses checked, 22 still had the default password that came with the equipment, leaving people vulnerable to theft of any personal information shared on WiFi.

Many businesses rely on cybersecurity training once a year for employees. Some of the training requires little more than people watching a short video and then answering a quiz. But the consequences of a breach for a business can be devastating. Hodges advocates that businesses teach their employees how to practice good online security in their personal lives.

“When companies help employees understand how to secure personal information, it has a downstream effect on business,” Hodges said. “Not taking security seriously is a lot like leaving the house, not locking the door, and then being shocked when you get broken into. Having a security mindset can give businesses a strategic advantage in the marketplace. Keeping employees alert to good security builds a wall around the business and builds trust with customers.”

Hodges, who has taught at the Harding University College of Business for 20 years, said even downloading apps to one’s phone without checking the end user license and data privacy policy can be dangerous. He recalled a popular app in the summer of 2019 that allowed users to take a photo of themselves and use a filter that would age the image. A lot of the college students he knew were using it.

“I read through the data policy and found the Russian company that created the filter did facial recognition software,” Hodges said. “All of these people were handing their faces over to a facial recognition company in Russia. I think individuals leave data exhaust all over the planet. We don’t even know what we are leaving behind, but cybercriminals can take bits and pieces and put together a version of you that can get a credit card or do any number of other things that harm you.”

In general, large businesses have armies of people to deal with cybersecurity. But many small- and medium-sized businesses aren’t expecting cybercriminal attacks.

“That is exactly why they are being targeted,” Hodges said. “People don’t realize it is so easy to target someone in an automated way. And people greatly undervalue data until it is not accessible. Business will come to a halt. That is not even counting the potential penalties for breaching the security of customers’ data.”

According to an IBM study, cybercriminals take about 277 days after breaching a system before taking action. During that time, they carefully study the company and determine its weaknesses. Besides ransomware attacks locking companies out of access to their data, a common scam is accounts payable fraud. The cybercriminal poses as the CEO, sends an email to the Chief Financial Officer and directs that the bank account routing for a vendor be changed.

“The next thing you know, you get past-due notices from that vendor,” Hodges said. “When they go back, they find out they sent that money to a black hole. Accounts payable fraud is a big deal now. It is unbelievable the amount of money that gets stolen. I know of one company building new facilities that lost $280,000 that way.”

It is also important that top leaders in an organization set the right example. No one is going to follow a leader who is not doing the right things, such as changing passwords on schedule.

“Having just one entry point can put the whole company at risk,” Hodges said. “The best thing is to have a different password for every system you use. There are so many breaches and data sold on the dark web. If my Gmail address and my password gets sold, and I used the same password also for Amazon and my bank, then all of these accounts are compromised.”

If Hodges could encourage people to do one thing, it would be to use multifactor authentication (MFA), which is requiring a code or secondary method of authentication after entering a password.

“It has been shown to be over 99% effective in securing one’s account,” Hodges said. “MFA is considered an industry best practice for authentication. Everyone should turn it on for their banking and other personal accounts that offer the capability. Businesses should, in all cases, require it of all employees, including the highranking executives in the C-suite.”