Companies must be prepared for cyber attacks
The hacking of HBO was much worse than what happened to Sony because hackers were becoming more sophisticated when carrying out cyber attacks, according to a report on CBS news. It was confirmed that over 1.5 terabytes of data were lifted in this cyber attack. Through multiple “doors”. Included in this online heist was an upcoming script of Game of Thrones and unaired episodes from other popular shows. Most concerning of all, thousands of internal documents were hacked. The hackers then shared personal information about a senior HBO executive. While sophisticated hackers look at the big companies with big prizes such as HBO and Sony where their expert hacking will be recognized by their dark web peers, this should ring alarm bells for all companies. Some simple tips might mitigate the damage.
1. Sensitive conversations should happen in person
Too often we avoid difficult conversations and shoot off emails instead. Whether about how someone handled a client, or approval or a promotion or raise, or to put someone on a performance program. Make an effort to have these conversations in person. When you speak to someone live and take the time to share feedback, it resonates in the manner in which it was intended, and emails often are taken the wrong way.
Memorializing financial approvals can be done in HRIS systems or in your financial reporting system. Reviews and notes can even be housed in HRIS. The burden of security is in on the software provider and you can ask pointed questions about how they handle security and backup their data to ensure you are protected. Generally speaking, going with a large cloud provider is your best bet. Use a consultant to help select the right system, and to ultimately implement the system. Always ask for references before implementing any system as well. But keep sensitive information off an email, which is the easiest target of a cyber attack. You will also feel better about having had the conversation live.
2. Change passwords often
Work with your IT department to prompt passwords to email and access to company drives changes every thirty days. I know it’s hard to keep changing password, I am the first to admit it, but the reality is this is the first line of defence. Your IT department wants to work with you, always include them in the process. Don’t use versions of your name or date of birth, and include special characters if you can. And never leave sticky notes on your desk with the password on it!
3. Create an Emergency Action Plan, and keep it updated
We usually only think of an Emergency Action Plan in terms of a weather-related event, or a geopolitical event, but if you get hacked, that is an emergency too. Update the protocols and make sure you have a plan in case your company is hacked to close all the entries into your systems and get notifications out to all your employees to change their passwords. You will need a communication plan to your clients as well in case their data was breached. You need to anticipate and protect as much as you can, working with IT and a cloud provider to ensure your servers and data is protected, and in the event of a breach, how to handle. There are consultants who specialize in this area. Creating a plan now will save you time, money and give you, your employees and your clients peace of mind later.
4. Have an IT Policy, and keep it updated
Hackers have simple and sophisticated ways of invading your network. Sometimes it’s with a virus, for example, the Ray-Ban virus on Facebook, or the DropBox phishing scam which came from an email from someone you may have known. When in doubt, always check with your IT department before opening anything you are concerned about. Your first line of defence is having a proper IT policy, and having each employee acknowledge it. Adding mandatory training can close some of the holes the hackers use most often.
5. Store only what you need
Store only what you need, and password protect it. Your customers and employee’s security depends on it. Sensitive health information should be stored in HRIS whenever possible, 1-9’s need to be maintained for three years after hire, one year after termination, payroll records three years from the termination date. Benefits information should be kept for one year after the termination date. This can all be stored in HRIS. Contract and billing information can be stored in your financial reporting system, and if not, can be stored, password-protected, in your drives. Sensitive client information should not remain on email and should be scrubbed from your inbox.
With awareness and preparedness, your company can be prepared to avoid being hacked. You can share with your customers and employees the measures you have taken to make them feel secure. The right consultant can help you design policies, create training and choose systems that are right for your company.
Cathleen Graham, Managing Partner of Cheer Partners, has more than 20 years’ experience as an HR and Talent leader across the communications, management consulting and software industries. Her extensive knowledge spans change management, employee communications, performance modeling, professional development, talent strategies, culture and employee engagement.
She has held C-suite level global roles for the last 10 years and has a track record of helping companies define their talent strategies to meet their corporate goals. She frequently guest lectures at Georgetown and NYU and is an active participant at TED conferences.