What you need to know about office security best practices

Keeping an office environment safe involves more than simply locking the doors at night.

Office security includes a company’s network, email, software, printers, and its practices for protecting paper records. More and more businesses rely on technology to store their information, and while this offers convenience, it also comes with challenges and risks.

Cybercriminals don’t seem to ever rest. They pose a real and ongoing threat to your business — as well as to the clients who entrust you with their sensitive information. It’s important to stay ahead of these threats and challenges.

Here are a few threats to watch for.

Business email compromise (BEC)

Hackers create tailored messages targeting specific employees. It’s worth noting that 90% of all intrusions into a system begin as a result of human error — an employee mistakenly clicking on a link that looks legitimate but is not. As an example, an office manager receives an urgent email appearing to have come from the CEO, asking to wire $28,000 to a “vendor” to finalize a transaction. The email uses the CEO’s name and a spoofed address that looks almost identical to their real one (typically the spoofed address may be missing a letter that at a quick glance someone might not notice). Because the tone and timing appear legitimate, the manager follows through. Days later, the company learns that the email was part of a BEC scam, and the money is gone.

BECs are comparatively easy and effective for a cybercriminal, who will research a company’s LinkedIn profiles and staff emails from websites to create something that looks credible.

FBI statistics paint a daunting picture. From 2016 to 2023, complaints about BEC included 89,756 victims with exposed dollar losses of nearly $17.5 billion. And the numbers seem to be increasing. Don’t be the next victim.

What you can do:

• Provide ongoing training to employees, ensuring they are educated on spotting suspicious emails.

• Implement a policy where employees always verify any requests pertaining to financial transfers or the transmission of sensitive information. Speak with the CEO or person who sent the message and confirm that it’s a real request.

• Utilize email authentication tools to protect your domain from spoofing.

Ransomware

Ransomware is a constant threat, particularly for small and medium-sized businesses. These can begin with a phishing email or by access through vulnerabilities that exist in outdated software. Ransomware can encrypt company data and bring your company’s operations to a screeching halt.

What you can do:

• Invest in secure, cloud-based backups and patch management systems.

• Use automated and regular backups of critical data.

• Store data backups offline in a cloud environment that is not accessible from your company’s main network.

• Divide your internal network so ransomware can’t spread unchecked.

• Isolate systems containing sensitive date, such as finance, payroll, and client data.

• Use firewalls to contain potential infections.

Shadow IT and remote access risks

These are a rising threat to networks. These originate when an employee installs an unauthorized app or uses unsecured devices when working off-site. This is a convenient way for cybercriminals to introduce malware, or for a company to be exposed to any number of outside threats.

What you can do:

• Establish and enforce a policy on what devices can and cannot be used.

• Use the latest endpoint-security software.

• Require multi-factor authentication for accessing sensitive date, both on-site and remotely.

• Continue employee training to recognize potential threats.

Smart devices and office tech

Smart devices and office tech vulnerabilities should not be overlooked. Printers, videoconferencing systems are part of your network and, can actually be an entry point for a cybercriminal. An office printer still using its default administrator password, for example, is comparatively easy to hack. Gaining access through devices such as printers and video conferencing systems allows access to the company’s internal server, which can lead to sensitive information.

What you can do:

• Change passwords frequently.

• Be sure that every device has a unique password.

• Be certain that every device is updated with the latest protection.

• Consider working with an outsourced Managed Services Provider (cybersecurity partner) if it’s more than you can handle internally.

Security should be part of every company’s business plan, whether it’s shredding paper documents or full-scale IT protection. Strong protections will preserve a company’s reputation and save on thousands of dollars in lost business and credibility. If you are not partnering with a cybersecurity professional, it is definitely worth having a conversation with one.

• Vince Miceli is vice president of technology at Pulse Technology based in Schaumburg.