The latest hacking of HBO was much worse than what happened to Sony because hackers are getting more sophisticated, according to a report on CBS today. It is confirmed that over 1.5 terabytes of data was lifted in this attack, and through multiple “doors”. Included in this online heist was an upcoming script of Game of Thrones, unaired episodes from other popular shows, and most concerning of all, thousands of internal documents; the hackers have since shared personal information about a senior HBO executive. While sophisticated hackers look at the big companies with big prizes such as HBO and Sony where their expert hacking will be recognized by their dark web peers, this should ring alarm bells for all companies. Some simple tips might mitigate the damage.
Sensitive conversations should happen in person:
Too often we avoid difficult conversations and shoot off emails instead. Whether about how someone handled a client, or an approval or a promotion or raise, or to put someone on a performance program. Make an effort to have these conversations in person. When you speak to someone live and take the time to share feedback, it resonates in the manner in which it was intended, and emails often are taken the wrong way.
Memorializing financial approvals can be done in HRIS systems or in your financial reporting system. Reviews and notes can even be housed in HRIS. The burden of security is in on the software provider and you can ask pointed questions about how they handle security and backup their data to ensure you are protected. Generally speaking, going with a large cloud provider is your best bet. Use a consultant to help select the right system, and to ultimately implement the system. Always ask for references before implementing any system as well. But keep sensitive information off email, which is the easiest to hack. You will also feel better about having had the conversation live.
Change passwords often:
Work with your IT department to prompt passwords to email and access to company drives changes every thirty days. I know it’s hard to keep changing password, I am the first to admit it, but the reality is this is the first line of defence. Your IT department wants to work with you, always include them in the process. Don’t use versions of your name or date of birth, and include special characters if you can. And never leave sticky notes on your desk with the password on it!
Create an Emergency Action Plan, and keep it updated:
We usually only think of an Emergency Action Plan in terms of a weather-related event, or a geo-political event, but if you get hacked, that is an emergency too. Update the protocols and make sure you have a plan in case your company is hacked to close all the entries into your systems and get notifications out to all your employees to change their passwords. You will need a communication plan to your clients as well in case their data was breached. You need to anticipate and protect as much as you can, working with IT and a cloud provider to ensure your servers and data is protected, and in the event of a breach, how to handle. There are consultants who specialize in this area. Creating a plan now will save you time, money and give you, your employees and your clients peace of mind later.
Have an IT Policy, and keep it updated:
Hackers have simple and sophisticated ways of invading your network. Sometimes it’s with a virus, for example, the Ray Ban virus on Facebook, or the DropBox phishing scam which came from an email from someone you may have known. When in doubt, always check with your IT department before opening anything you are concerned about. Your first line of defence is having a proper IT policy, and having each employee acknowledge it. Adding mandatory training can close some of the holes the hackers use most often.
Store only what you need:
Store only what you need, and password protect it. Your customers and employee’s security depends on it. Sensitive health information should be stored in HRIS whenever possible, 1-9’s need to be maintained for three years after hire, one year after termination, payroll records three years from termination date, benefit information should be kept for one year after termination date. This can all be stored in HRIS. Contract and billing information can be stored in your financial reporting system, and if not, can be stored, password protected, in your drives. Sensitive client information should not remain on email and should be scrubbed from your inbox.
With awareness and preparedness, your company can be prepared to avoid being hacked. You can share with your customers and employees the measures you have taken to make them feel secure. The right consultant can help you design policies, create training and choose systems that are right for your company.