Menu
Menu
Why SMBs should play this 'game of passwords' in their next team meeting

Why SMBs should play this 'game of passwords' in their next team meeting

The Alternative Board shares simple exercises to educate employees about cybersecurity threats.

“It is important to start educating your employees about cybersecurity threats and put policies in place about handling sensitive data,” says Jodie Shaw, chief marketing officer of The Alternative Board (TAB).

“Make sure your data policy includes guidelines around web browsing, downloading files from the internet and email attachments.”

Shaw shares this advice following the the results of the latest TAB survey revealing more than half of business owners (52 per cent) report having been victims of some kind of cyber crime.

Make sure your data policy includes guidelines around web browsing, downloading files from the internet and email attachments

Jodie Shaw, The Alternative Board

Yet, less  than half (46 per cent) have measures in place to protect their businesses against them.

“According to the results, the average business owner spends $8,933 per year on cybersecurity protection,” says Shaw.

She says this is a small investment  considering 75 per cent of business owners agree a cyber attack would compromise the profitability of their business.

So what’s preventing business owners from reaching their desired level of cyber protection?

According to the survey, the number one challenge is time (43 per cent), followed by resources (32 per cent), expertise (30 per cent) and capital (29 per cent).

“Whenever business owners cite time as an obstacle, it means they are not effectively delegating,” adds Shaw.

“39 per cent of entrepreneurs believe they are responsible for cybersecurity issues affecting their business – but it’s a task that could easily be outsourced to outside firms/consultants.”

Game of threats and passwords

Shaw shares at least two steps business owners can take right now to highlight how easy it is for a hacker to infiltrate the company’s network.

First, she says, is to mimic the ways hackers gain entry into company’s technology networks.

“To do this, send an email from an address you create on free email account to everyone in the company,” she tells CIO New Zealand.

“The body of the email should be simple, like ‘Hey check this out and include a link to a safe website for the purpose of this exercise. When you send the email from this newly set up email, most email send programmes allowing you to mask the email with a Sender Name versus the actual address, so choose a senior executive, the owner’s name as the person who sent this email to your team.”

She explains: “Many hackers use the names of people inside your address book to get you to open and click on a link.

“When emails are sent, they appear like someone you know, but the actual sending address is very different. After you send the email, the email program will tell you what percentage of your team will be tempted to open a link.”

Shaw says she did this with one company, and the results were “astounding”.

About 20 per cent of staff opened the email and clicked the link.  “I was able to use this information as a training exercise to show the team how easy it is to get people to open and click emails.”

Another great way to educate your team on how easy it is to infiltrate technology systems is to, at your next team meeting, ask everyone to stand.

Then ask them to sit when this statement is true about their password:

  • ‘My password contains the name of my pet.’

  • ‘My password contains the year I was born.’

  • ‘My password does not contain a special character.’

  • My password is my child’s name. etc etc.

She suggests coming up with 20 or so statements to help highlight the use of strong passwords.

In a recent report, Microsoft likewise advises organisations to reduce the risk of credential compromise by educating users on why they should avoid simple passwords, enforcing multi-factor authentication and applying alternative authentication methods (e.g.gesture or PIN).

Cloud-based user account attacks have increased 300 per cent from last year, showing that attackers have found a new favourite target

Microsoft Security Intelligence Report

Cloud-based user account attacks have increased 300 per cent from last year, showing that attackers have found a new favourite target, reports Microsoft in its latest latest Security Intelligence Report.

“A large majority of these compromises are the result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services,” the report states.

The report says organisations should enforce security policies that control access to sensitive data and limit corporate network access to appropriate users, locations, devices, and operating systems (OS).

Staff are advised not to work in public wifi hotspots where attackers could eavesdrop on their communications, capture logins and passwords, and and access personal data.

Microsoft says it is also important to regularly updating the operating systems and other software to ensure the latest patches are installed.

Send news tips and comments to divina_paredes@idg.co.nz

Follow Divina Paredes on Twitter: @divinap

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.


Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

Tags whalingcybersecurityMicrosoft Security Intelligence ReportThe Alternative BoardSMBsphishing

More about FacebookMicrosoftTwitter

Show Comments

Market Place