Having worked for a number of small and medium businesses in my time, I have always used software to generate and store the vast array of passwords that I’ve had to ‘remember’. Passwords are one of those necessary evils in this day and age, and I’m sure you can relate to the frustration of expired passwords, and meeting the complex ‘criteria’ most sites and services require.
Late last year former Attorney-General Nicola Roxon highlighted that 1 in 4 Australians had been victims of identity theft, identifying fraud as one of the fastest growing forms of crime in Australia, speaking about the critical nature of cyber security. Like a lot of other dangers, we often do not ‘connect’ with such crimes, as we have not experienced them ourselves.
Recently I visited the website for a service I had not used for a while, and was astonished to be logged in automatically by the password saving software I use (called LastPass) into a CRM (Customer Relationship Management Software) database of several thousand prospects and customers. I was staring at perhaps one of the most valuable assets belonging to a former employer of mine, for whom I had worked about two years ago.
That’s right, a company with whom I no longer had any ties had not changed its passwords in two years. What I did was contact them and let them know about this, but I think it’s fair to say a disgruntled or more opportunistic former employee may not have had the same response.
Databases are worth money. We have to remember this and ensure we take the necessary measures to safeguard our vital confidential assets, by putting into place SYSTEMS. Systems are critical to the operation of any business, as well as for cyber security. I’ll treat the rest of this post as though I were advising my former employer on how they could have avoided this security breach.
The most basic approach to preventing this from happening to your business is to have checklists in place. Part of your cyber security strategy should involve the different tasks you will have to perform when an employee leaves your company. If you are too small and don’t actually have an IT Support team in-house, you can still assume or assign the responsibility to somebody. For example:
- Has all physical equipment been returned – Whether it’s a laptop, USB sticks, smart phone, chargers, keys or passes to the office, these assets all have to be logged against each individual. Once an employee is due to depart from the company, someone within your business should be responsible for ensuring these assets are all returned
- Email address – After resetting the outgoing employee’s password, ensure you set up an Out of Office Responder to enable all those corresponding with that individual to have a new point of contact. Having worked in sales in the past, I’ve seen many companies lose business by not ensuring potential leads were kept in the loop
- Accounts & Passwords – what passwords were given to the employee? If they had their own account for each of the services used in your business, make sure you lock or disable it, or at the very least change the password and any ‘backup emails’– i.e. any alternate email addresses that could have been entered in case the account holder forgot their password.
It is critical to protect your business assets from external threats. However, I guarantee that starting by securing your business from within is going to reap the most rewards for the amount of time and money (usually none) required.