When we grew up, we were taught simple, basic rules for safety. Don't talk to strangers. Don't take your money out in public. Look both ways before crossing the street. Don't take candy from strangers.
In light of the continuing series of data breaches at large and otherwise successful and seemingly very secure companies, we need to be teaching younger professionals as well as ourselves a similar set of basic safety rules for corporate IT security. Just ask Beth Jacob, who used to be the head of technology at Target, until she resigned in March after a major data breach of customers' credit card numbers. Or AOL, whose subscribers suffered a massive spam surge after its internal network was penetrated. Or Heather Bearfield, National Leader of Marcum's Technology Assurance Services Practice group, who advises our clients about their potential security vulnerabilities.
Heather spends a lot of time finding and pointing out the weak links in our clients' IT systems and advising them about how to strengthen them. She says CEOs are often the biggest culprits when it comes to lax protocols because they think that they spend so much on IT that they have a false sense of security. They think their infrastructure is airtight; they don't realize that they could be a target. You might be surprised at some of the things Heather’s team has seen in supposedly secure offices – or maybe you wouldn't. Employees posting passwords on sticky notes. Employees leaving "secure" workstations with their screens still live. Clicking bad links, having laptops stolen, losing thumb drives and company phones. And so on.
The importance of data security may seem obvious, but younger employees especially may not always recognize the inherent need for following a safety protocol. The newest generation of workers grew up in an age of technology. They are the Jetsons. They take a lot of this stuff for granted. We are the Flintstones. We have to work at it.
Working online has become so ubiquitous to the way we do business that it's easy to brush off some of the simple but easy-to-avoid steps we should all be taking to reduce the vulnerability that complacency can create.
As always, our best safety net is the tried-and-true childhood advice our moms gave us.
Don't talk to strangers. People you don't know don't want to wish you a happy birthday. If you receive an email solicitation from someone you don't know or about a subject you don't know, forward it to your IT department for blacklisting if you can and delete it unopened from your inbox. Listen to your gut. If it doesn't feel right, don't click the link.
Don't take your money out in public. Are you working in a Starbucks or an airport with your company's financials up on your screen? Are you keying your password in clear sight of others? People with nefarious goals know they can find unsuspecting targets in open-access environments. Be aware of your physical surroundings and the inherent risks of working in a public place.
Look both ways before crossing. When it comes to social networking sites like Facebook, you are in the middle of a digital intersection with traffic coming from all directions. You may be offering snooping eyes a lot more information than you think. Even if your password is safeguarded, your security questions may be vulnerable to attack. If someone can look at your FB page, they can find out enough about your personal life to figure out things like your mother's maiden name, which is often the security question for bank and credit card accounts. And speaking of passwords, don't use dictionary words or names unless you also utilize numbers and special characters. Also remember that any information or photos you post can be captured and reproduced; Snapchat is forever.
Don't take candy from strangers. Business networks are plagued by phishing scams. If someone's offering you something that's too good to be true, it's too good to be true. Don't take the bait. Report it to your IT dept.
Remember: The sticky note you or your employee writes today may be the threat that shuts down your network tomorrow. Don't do it, and don't wait to make sure that no one else in your company is doing it. Make IT security a top priority now.
Heather Bearfield and Julie Gross Gelfand contributed to this posting.