- In April, the FBI reported seeing a tremendous spike in documented cybercrime, with estimates that cybercrime might be up as much as 300% in 2020 alone.
- Very few companies keep an up-to-date, accurate inventory of hardware that is linked to professional, confidential data.
- People—not software—are still the primary cause of security breaches.
By Colin McMahon
Introduction
2020 has been, to put it mildly, a challenging year for a number of reasons. In addition to wreaking havoc on millions of lives, the COVID-19 pandemic is rapidly transforming the business world. When the pandemic first hit back in March, many workers faced the sudden—and forced—transition from on-site workflows to remote and decentralized business operations. Although this transition did not always lead to a drops in productivity as some businesses feared, it did open up enormous dangers in terms of cybersecurity. In April, the FBI reported seeing a tremendous spike in documented cybercrime, with estimates that cybercrime might be up as much as 300% in 2020 alone.
Given that October is National Cybersecurity Awareness Month, this article discusses affordable but effective methods for reducing the risk of a major data breach. There is no denying that we have seen an enormous shift toward remote workflows over the past 7 months. According to Keypoint Intelligence’s 2020 COVID-19 Response Plan Survey of 350 retail, franchise, and quick printers, the share of employees who worked remotely jumped from 32% prior to the pandemic to 56% during the pandemic. As a result, many organizations don’t just have decentralized employees, they likely have decentralized—and unregulated—data repositories.
Minimizing the Risk of a Security Breach: Strategies for Success
Inventory Connected Devices
In the old days, a phone was just a phone…but this hasn’t been the case for quite some time now. While the consensus has been to call the devices that most people carry at all times “smartphones,” a more accurate term might be “pocket computer.” Keypoint Intelligence’s research data indicates that 81% of users interact with their smartphones on a daily basis, and these devices can be seen as a miniature treasure trove of personal and confidential data—particularly if people use their smartphones to bank, pay for goods, or respond to emails.
In addition, keep in mind that we’re only talking about personal data! Even so, research indicates that many people also use their personal smartphones for work, meaning that confidential information such as passwords and network access information would also be stored on their device. Despite this, very few companies keep an up-to-date, accurate inventory of the hardware that is linked to professional, confidential data. This could be similar to making 100 keys that people could use to get into your building but not bothering to track who took a key but for how long.
Network security is a tricky issue in the sense that it’s only as strong as its weakest link. Organizations can invest thousands if not millions in a cybersecurity solution, but this investment would prove meaningless if an employee lost his or her phone at a bar and the information it contained fell into the wrong hands. To put it simply, smartphones with access to confidential business data can pose a security risk. All organizations should have procedures in place to track which devices have access to what. They must also keep careful track of all this hardware throughout its lifecycle.
Properly Dispose of Data
Many people and companies believe that the lifecycle of a device ends when it is disposed of. Once you trade in or sell a smartphone or a printer, it belongs to someone else and is no longer your responsibility. Although this is technically true, it is important to remember that data does not simply vanish with a change of ownership—it must be properly disposed of, and deleting saved information may not be sufficient.
Hackers and other IT experts can recover data that has been deleted, especially if it was never rewritten with new information. Given that many machines today operate with SD cards or solid-state drives (SSDs), the only real way to ensure that data has been disposed of is to destroy the repository it was stored on. Degaussers, once powerful and popular tools that were used to erase traditional hard drives, will not work on this newer technology. Before selling or decommissioning a device, owners should check for and remove any data repository. The device should then be destroyed by professionals with the right equipment. This is the only way to guarantee that data will not be usurped by a malicious third party; simply throwing something out is not enough to destroy confidential information.
Educate Employees
Defense against cybercrime begins with education. It has been said that there are now two levels of literacy in the world. Most are familiar with the first—determining whether someone can read a written language. The second, newer literacy is computer literacy, which now contains knowledge of integration with online networks. Fewer people have mastered this, and cybercriminals exploit this ignorance to make effective attacks.
One of the simplest forms of cyberattack, phishing, is nothing more than an email claiming to be from a reputable source (e.g., employer, government agency, other authority). These emails are usually urgent in nature, compelling the recipient to act quickly and without thinking. They frequently contain spelling errors and domain names that do not properly match where they are supposedly sent from. In short, a phishing scheme will typically have clear signs that are easily identifiable. Without education, however, some employees might not spot the danger until it is too late. Phishing can be used to steal personal information, but it can also be used to install complex—and potentially devastating—forms of cyberattack like malware, worms, and ransomware.
As was stated during one of the sessions during the 2020 Ricoh Interact virtual event, people—not software—are still the primary cause of security breaches. Employee education takes time, but this is an investment that will pay for itself if a company’s confidential information is kept secure. All employers should train their workers to identify malicious e-mails so they can stop any attacks before they happen.
The Bottom Line
Encouraging employees to always be connected by tying their personal devices to corporate accounts might speed up production slightly, but it’s probably not worth the risk of a massive data breach. Decentralized workflows have made it so more business is conducted digitally, via personal devices and on company hardware. The suddenness of this development has prompted cybercriminals to exploit businesses that were unprepared for the realities of online workflows. The COVID outbreak created a perfect storm for cyberattacks, because many businesses were caught unprepared in more ways than one.
Although it is always important for organizations to keep careful inventory of devices with network access and other confidential data, this is particularly the case when a global disaster like COVID caught many businesses unawares and forced them to pivot almost overnight. All hardware must be properly disposed of at the end of its lifecycle, and employees should be educated on the risks of cybercrime. The good news is that these initiatives do not need to require a massive investment, but they can have dramatic results.
Colin McMahon is a Senior Editorial Analyst at Keypoint Intelligence. He primarily supports the Business Development Strategies and Customer Communications services. In this role, he creates and refines much of Keypoint Intelligence’s written content, including forecasts, industry analysis, and research/multi-client studies. He also assists with the editing and formatting processes for many types of deliverables.