If you didn't catch the recent NZ Herald article, the sudden changes that businesses are experiencing as a result of COVID-19 are having the unfortunate effect of an increase in scammers and hackers attacking businesses for their data, passwords and details.
It's no surprise either.
- People are working from home in less secure environments,
- The nature of remote working makes it increasingly difficult to verify whether a request is legitimate or not
- At the end of the day we're all trying to do the best we can for our clients and customers given the circumstances, and bad-hackers are looking to take advantage of good nature.
So what can you do to keep your employees and your business safe?
The answer is pretty simple. The car has stopped temporarily - it's your job to be the pit crew that makes all of those key process changes and tightens up all of your working parts that were too hard to tackle when things were busy. Make sure you're protected now, so that when things get going again, you're ready for it.
Here's what I'd recommend.
1. Move Off Your Spreadsheets
Before getting into it I should premise this with spreadsheets are great. They're a bit of a super hero power for me actually! You can make a spreadsheet do almost anything with the right formulas and formatting, and I am a big fan of (and have used in the past) both Excel and Google Sheets.
When your business grows beyond one or two people, your spreadsheets can quickly spiral out control and become out of date, especially if the data isn't integrated and live or you're working in Excel (without 365) or a non-collaborative tool. It can be difficult to filter and see when things were last update - of course, there are ways to do this but the majority of people don’t know these features, so in the end it’s hard to include rich content and information.
Then there's the issue of duplicates. We've all had that scenario where a Google Document has been duplicated to create a new and more up-to-date version, or the original is hidden away in the depths of a shared folder, and a new version is created. This can quickly lead to a tonne of confusion and double handing.
But most importantly, spreadsheets are a real security risk and are a surefire way for integral data and information to be leaked beyond the people you expect it to be shared with - especially during such a turbulent and risky time like now.
"Anyone can export, download and copy"
The problem is that we tend to leave these really crucial files in shared folders (like Dropbox or Google Drive) and aren't focused on the security around these spaces. That means as soon as a staff member leaves or a client moves on, they're likely to still have access to sensitive information, especially if you've shared the file with a personal email address.
I've seen some really unfortunate examples of businesses who have kept contacts and deals in spreadsheets, only to have their databases later stolen by quite senior people (hard to believe, but it's true!).
In fairness, 99% of the time your team is trustworthy, but due to the ease of exporting, downloading and copying, they can accidentally share it with the wrong people.
So if not spreadsheets, then what?
The good news is, there are some amazing dedicated tools available that will streamline your processes, tighten your security and use live and integrated data in ways that a shared spreadsheet wouldn't be able to.
I'd recommend looking into HubSpot's free CRM. You can use the tool as a source of truth for your data base, set permissions and security processes in place so you always know who does and doesn't have access to your information, and should someone download or change anything, the action is recorded. It's pretty amazing what you can do with a completely free tool!
Of course there are going to be certain industries like PNL and those involved in financial forecasting that absolutely do need spreadsheets to do their job. In these cases, I'd suggest reviewing your shared-folder permissions, setting up a company security policy and where possible, using dedicated tools with tighter security functions (like Wrike and Xero).
2. Tighten Up Your Password Security
Password security is one of those things that we know we should be doing, but in reality never really seem to have the time to implement. I'd be willing to bet there are more than a few people out there who are using the same password across multiple accounts, or even worse, their password is 'password'.
While things are slowing down a little and the world is taking a breath, there's no better time than now to finally tighten up the ship and get a password policy sorted.
I'll note the key elements of password safety below, but if you'd like a policy that you can use right now for your business, download our password policy template below.
The Rules of a Good Password Policy
Password Hacking is a major issue, and it is critical that you follow best practices to ensure that you are not hacked and your logins compromised. For example:
- Ensure 2-factor authentication is enabled on Google, HubSpot and any other accounts
- Where possible use your Google Account to register and login to online services
- NEVER reuse passwords
- Use a password manager on your desktop and mobile, i.e. LastPass, and when it comes to the password for that password manager, it must be a minimum of 12 characters, a blend of all upper, lower case, numbers and special characters, and NEVER used anywhere else.
- Avoid obvious commonly used passwords and password inclusions such as 'password', 123, your name, country or a year, as well as more obvious replacements, e.g. E with 3, o with 0, a with @.
Beyond these rules of thumb, I'd also suggest requiring a verbal check-in with clients and coworkers to validate any requests, and last but not least, don't write your passwords down.
If it's a super-long password or you have multiple accounts this can definitely be a little challenging, but it's better to come up with a system or buzzwords that prompt you to remember than to leave the skeleton-key to your online accounts floating around on a piece of paper.
3. Know the Signs of Spoofing & Phishing Attacks
As I mentioned above, hackers are currently leveraging the uncertainty and panic by targeting remote workers and businesses with spoofing and phishing attacks. If you're a brand with a reputation, naturally you'll want to protect that reputation, which means being aware of the types of attacks that are being commonplace and the signs of an attack.
Over the past few weeks, there have been a significant increase of fake password change requests. Essentially, hackers are sending look-alike password requests via. email, and they're going out of their way to make it look as legitimate and sophisticated as possible.
How do they do it?
First of all, they're resourceful and smart, reading media releases, reviewing your connections on LinkedIn and your company website to find trusted connections and a relationship they can use to get through your companies security.
Then, they'll purchase a domain that is incredibly similar to the business they're trying to impersonate and send an email from that address, or they'll hack a client's email platform (especially if their security is less robust than yours) and email you asking for login details.
Of course there are some larger companies and integrators like datacom who are incredibly secure and have really tight procedures to prevent this, but for your average sales, CRM, marketing or brand, there's likely to be a weak-point to exploit.
What can you do?
The main thing is to be really vigilant and double-check any request you're receiving. Look at who the sender is, give your client, partner or software service a call to make sure that it's legitimate before entering any information, and share the information around the increase in attacks.
I'd also suggest conducting a security audit. As yourself and any partners who have access to your database the following:
- What are your current security policies?
- Do you have a password policy?
- Is your team definitely following your policies?
- Who are your high-risk users?
- Are there measures you can take to tighten your security?
Any changes you can make now, will safeguard your brand, reputation and information in the future.
Want to get serious about the security and management of your prospects and clients?
We can help. If you're ready to talk about moving your spreadsheets of databases and data, we offer a half-day and full day remote CRM configuration where we take you and your team through a guided CRM set-up.
- Viewing and creating config
- Standard set-up and technical set-up of your site