If you have tried to send mail abroad recently you will realise that Royal Mail has been subject to ransomware, stopping it sending mail outside the UK. Could it happen to you? Yes, it could. How do you prevent it?
There are two principal ways in which you could be vulnerable. Poor cybersecurity and social engineering. The former is the province of IT specialists (links below) the latter is largely an HR issue which we address here.
Social engineering
Here are some examples of the use of social engineering. It is far from an exhaustive list.
- Obvious ones are shared passwords, passwords changed so frequently they are on post-it notes, passwords that are never changed even when an employee leaves.
- Less obvious, your employee is working away and books into a hotel. They link to the free “hotel” WI FI. Except that the WI FI router does not belong to the hotel but is sat in the hacker’s car in the hotel car park.
- Laptops are left around carelessly. Reputedly, plans for invading Iraq were once left on a laptop that was stolen from the boot of a car. Other laptops have been left on trains.
- Information can be gleaned from your website (such as employee names!) then used for any of the scams below.
- Innocuous emails. Invariably these require clicking on link, revealing an IP address and potentially much more.
- Emails that masquerade as HRMC, the Tribunals service or other disturbing source, creating the same outcome.
- Phone calls set up by text or email. For example, the employee gets a spam text that they recognise and discard. It is followed by a seemingly authoritative call from a bank (for example) asking if they have received such a text or email. When the employee advises that they have, the caller then suggests an account has been compromised. The caller then seeks security information so they can “secure the account”.
- Many devices in a typical workplace are interconnected locally by wireless. If any of these devices is hacked, and its functioning stopped, it can lead to a plausible call from a false ”IT” caller – with the likely compromise of passwords.
What you can do
- Review your email and internet policy for vulnerabilities.
- Implement your policy.
- Alert employees to the various ruses used by hackers and ransomware companies.
- Develop a robust password policy.
- Keep company information only on the Cloud, not on laptops or even on desk machines.
- Be prepared to use your disciplinary procedure, where appropriate.
- Garden leave – consider including a clause restricting access to work emails, computer systems or databases.
- Remove employee accounts or passwords when they leave.
- Use an accredited external supplier to audit your systems and vulnerabilities.
IT cyber specialists of whom we have experience:
Don’t allow your business to be subject to ransomware!
Malcolm Martin FCIPD
Author Human Resource Practice
Blogs are for general guidance and are not an authoritative statement of the law.