The greatest risk to the security of your business is human error. People are prone to error, in fact, some might say it is error that makes us human. Why is this important? Put yourself in a hacker’s shoes. What do you target if you want to jeopardize the cyber-security of a business? You could spend days, if not weeks, trying to hack your way in… or, you could send an email to IT claiming to be the CEO and locked out of your account. Yes… that has worked in the past.

This method of attack is called Phishing (pronounced Fishing). The idea is the scammer will send out a lot of fraudulent mail (or other methods of communication) and wait for someone to take the bait. They then reel in the info, in this case the new CEO password. Let’s go into the previous scenario a bit further. It seems a bit far-fetched for IT to believe a random email is from the CEO, but the scammer has some sneaky tricks up their sleeve. Let’s say the CEOs email is importantCEO@business.com . Well here are some things the scammer could try: they could register the domains, businesss.com or business.co or something similar, set up an email account with “importantCEO” as their username, and send out that email. IT will see ImportantCEO@businesss.com or ImportantCEO@business.co and perhaps not even notice the difference. This is just one example, hopefully it illustrates the dangers of human error.

Now to be clear, although the example I gave of Phishing was targeted at a CEO, everyone is a target of Phishing. You can gain a lot of info from the average employee, like the technology the company uses, the performance of the business, company Intellectual Property, etc.

So, what’s the solution? We need people to run a business (for now), so the only solution is educating employees with a good company policy. Your company policy should make a distinction between public information and internal information. Simply put, what information your employees are allowed to share with the public. Another example of good company policy is official channels for the changing of information. For example, a form on the company website that you must use to change your password. This way, an email requesting to change a password is seen as suspicious. Finally, the proper offboarding of employees. An employee that is no longer employed may still have critical information, for example, their company account and email. Account information pertaining to past employees must be discontinued in the offboarding process.