Thursday, 21 January 2021

Business.com

Business.com


How to Decide if a Permanent WFH Model Makes Sense for your Business

Posted: 20 Jan 2021 02:30 PM PST

When COVID-19 began its worldwide spread early in 2020, businesses of all shapes and sizes had to transition employees to ad hoc work-from-home schemes. As it turned out, the world didn't come crashing down around those businesses. Instead, surveys show that 94% of such businesses have the same or higher productivity levels since the pandemic began.

That raises a valid question: Should more businesses think about making remote work a permanent feature of their operations?

That's a tricky decision to make. Businesses open to such a move should carefully analyze their needs, weighing them against the possible limitations of a remote workforce. Here are the steps to figure out if it's a good long-term solution for your business and prepare for a permanent shift to remote work if so.

Step 1: Break down job descriptions.

The first step in a permanent transition to remote work is to take an inventory of the day-to-day tasks that employees were doing onsite. It's critical to break down everyone's work to this level, because it will help you identify current roles that aren't well suited to a remote setting and which ones would make the transition easily.

Remember, there's no reason that your business has to adhere to previously defined job roles. For example, if you discover a handful of accounting tasks that require an onsite presence, you might consolidate them into a single new position and group the rest of the work into new remote-eligible roles. But don't get discouraged if you find a mountain of tasks that call for an in-office worker – after all, most workflows weren't conceived with remote workers in mind and will need some updates.

Step 2: Retool workflows.

Once you've identified the various tasks current workers do that won't work in a remote setting, look for ways to adapt those tasks to remote work. In general, this task will go hand in hand with other efforts in digitization and automation. For the most part, anything that isn't a manufacturing process should have a path toward a digitized process.

At this stage, it's not necessary to undertake the actual work of digitizing workflows unless it's part of a preexisting plan. You'll want to total up the costs that come with the effort to use in your cost-benefit analysis of your remote work plan. At that point, you might find that sticking with in-office work makes more financial sense or that a phased transition is more appropriate, so it's wise to put off changes.

Step 3: Analyze capital costs.

In most cases, reconfiguring workflows and preparing your business's infrastructure to handle remote workers for the long term won't be cheap. But that doesn't mean it's not worth it. To find out, you'll need to add up all of the costs associated with transitioning your workforce to their new mode of operation and supporting them going forward.

This is where things start to get complicated. You'll need to factor in at-home liability for employees, new cybersecurity needs and everything in between. Depending on where your business operates, it might incur all kinds of costs that you may not be anticipating, such as these:

  • State-mandated employee expense reimbursements
  • Infrastructure costs (providing secure remote access, at-home work equipment, connectivity)
  • Remote tech support
  • Unified communications tools
  • Costs to break leases if office downsizing is necessary

It's important to be as thorough as possible in identifying the costs involved. The closer your estimates are to reality, the more informed your decision on a long-term remote work plan will be.

Step 4: Calculate cost savings.

When you get over the sticker shock from your cost analysis, look at how the move to working from home will save your business money. There are likely to be plenty of cost savings, both obvious and otherwise. It's also important to recognize that many of the indirect benefits could save your business a small fortune in the long run.

For example, studies have demonstrated that remote workers take fewer sick days and tend to reduce absenteeism overall. That can save a business more than you might expect. According to the CDC, absenteeism costs businesses around $1,685 per employee in lost productivity every year, so even a marginal improvement can lead to significant savings.

Remote work typically boosts employee retention as well. According to Crain's Future of Work survey, 78% of employees list flexible work and telecommuting options as the most effective nonmonetary retention tools businesses can offer. Considering that even low-wage, high-turnover workers cost up to 16% of their annual salary to replace, the cost savings there might be more than you'd imagine.

Step 5: Project your ROI.

By now, it's becoming fairly obvious how well a permanent work-from-home program might work for your company. If a cursory comparison of your costs and savings shows that you're coming out ahead, things are headed in the right direction. But if it appears at first glance that the costs outweigh the benefits, that doesn't automatically mean that working from home is a nonstarter for your business.

What you need is a full projection of your return on investment, looking forward at least five years from the date your work-from-home program begins. It should account for the fact that year one will likely see above-average costs owing to facility changes, one-time technology purchases and other short-term outlays. But by the fifth year, the combined savings on facilities, employee turnover, low in-office productivity and infrastructure should have put the business back in the black overall.

Step 6: Make the decision.

After going through all of those steps, you should now know approximately what it'll take for your business to extend its remote work policy permanently to some or all of its employees. You should also know how much the move will positively or negatively impact your bottom line. But in the real world, that's not all there is to the decision.

With all of the data in hand, it's time to decide if your business has the financial wherewithal to roll out a work-from-home plan immediately or if it's a better idea to phase it in gradually. It could turn out that existing facility leases or capital costs make it impossible to move forward right away. In that case, it's a good idea to revisit your earlier projections and gauge what it would take to prepare your organization over two or more fiscal years for an eventual move to permanent remote work.

In all likelihood, you will find a viable path to embrace a work-from-home model. Once that's established, discuss the potential plans with all of the stakeholders involved. Remember, not every employee will be thrilled with the idea of working from home some or all of the time, and not every team will thrive under those conditions.

If it appears that all systems are go, you should have a decent road map on how to proceed. Then, all that's left is to execute the plan and make whatever changes make sense along the way. If all goes well, your business will be all set to face the future of work – and enjoy its benefits today.

How to Find the Best Manufacturing Partner for a New E-Commerce Brand

Posted: 20 Jan 2021 12:00 PM PST

There has never been a more lucrative time to start an e-commerce business than right now, and with so many first-time entrepreneurs attempting to start private label brands or operate a dropshipping business model, I wanted to touch on one topic I'm very familiar with: aligning with the best manufacturing partner.

Your manufacturing partner plays a tremendous role in the success or failure of your business. I have firsthand experience sourcing manufacturers and dealing with every stage along the way, from idea inception to the final design rolling off the production line. One of my businesses, REX Fitness, is a portable home gym, which took off quickly due to COVID-19 and many gyms across the country closing. 

Let's dive into seven ways you can identify the best manufacturing partner for your e-commerce brand.

Understand the pros and cons of U.S. vs. overseas manufacturing.

One of the biggest decisions you will have to make is whether a U.S.-based manufacturer or an overseas manufacturer is the best option for your specific brand. There are pros and cons to both.

While the cost to manufacture items will typically be lower overseas, you must pay close attention to shipping costs and production delays.

It's important to look beyond the cost per item; the pandemic has caused shipping costs to skyrocket, and it's created a production backlog. While the price per item might be much lower, when you factor in the shipping costs, they might be very similar.

Evaluate everything as a whole – cost, shipping, quality and production time – to find the best option for your business.

Research various resources to identify potential manufacturers.

When looking for overseas manufacturers, Alibaba is one resource. You always want to be very careful, regardless of where you are looking for suppliers and manufacturers.

There are other online resources, including DHGate and AliExpress, that you can use to find potential candidates. If you are set on a U.S. manufacturing partner, use Google. I'd suggest looking into all available options.

Conduct proper due diligence.

Never assume all of the information listed by a manufacturer is correct. You will find that some are not the actual manufacturing facility, acting as a middleman to source your needs. You can do a lot of digging on your own simply by searching online.

You can then take that a step further and conduct Google map searches to make sure they have a listing and their address matches what is shown on their listing. If you need more reassurance, request a video tour of their facility. This can be conducted via FaceTime or Skype, and it shouldn't be an issue if they are serious about winning your business.

This is also a good way to see how organized and clean their manufacturing facility is, both of which are good indicators of how they conduct business. Messy, filthy, unorganized facilities are a major red flag.

Interview to find the best options.

Once you have several candidates lined up, schedule a time to speak with them. The ones in the U.S. will be easy to coordinate with, but the overseas companies will require that you wake up very early to get this done.

Zoom is a great way to communicate, and it allows you to get a good sense of their personality and how prompt they are. Remember, this is an audition. If a company is late to the call or cancels at the last minute, it's a strong sign that you may face problems with them in the future.

If someone cannot show up to the very first call on time, I cross them off my list of potentials. Talk business, but also exchange back-and-forth small talk to get a sense of whether or not your personalities will be able to communicate well. You must have a strong relationship with your manufacturer and be able to easily communicate with them.

Negotiate pricing and MOQs.

There is typically some wiggle room available with the price quote and minimum order quantitity (MOQ) given by a manufacturer. In addition to these two items, ask for a shipping quote, and cross-reference it with your own shipping quotes. It's not uncommon that the quote they provide for shipping, for example, is higher than what the shipping companies will quote you directly.

Test quality and speed with a sample order.

While starting a new e-commerce brand is exciting and you want to get rolling as quickly as possible, you don't want to go all-in on a huge order without first testing the manufacturer's quality as well as their speed and communication.

Place a small order so you can examine the product in-hand, and if you are doing a custom branded product, pay extra if you have to for the manufacturer to customize every aspect, which is exactly what you will be doing when ordering in large quantities.

You need to examine everything, from product labels to the overall presentation and packaging of the item. The quality of your product is a direct representation of your business. A consumer isn't going to pick up a product and say, "Wow, brand X's manufacturer is sloppy." They will say, "Wow, brand X is a low-quality product."

Always have a backup option.

Even after you spend the time conducting your due diligence and putting every prospective manufacturer through a rigorous screening process, it doesn't mean that your first manufacturer relationship is going to be smooth sailing.

In the best interest of your business, you should have a backup in place at all times. Your second choice needs to be kept on the back burner, and you can implement a 90/10 rule to keep them on standby.

Have 90% of your manufacturing done by your first choice. Have the second choice, and your backup, do 10% of the manufacturing. This keeps that backup option warm at all times, and in the event you need to switch to them, they will be up to speed, and it can result in a much smoother transition.

How New-Age Social Media Marketing Is Changing and What You Need to Know

Posted: 20 Jan 2021 11:00 AM PST

Social media has become an important, if not the most important, component of digital marketing strategies for brands and businesses of all sizes. Leveraging the power of social media requires that you stay up to date with its ever-changing landscape.

The strategies that were effective a couple of months ago won't necessarily generate the same results today. Why? Consumer behavior changes, social media platforms change, and new platforms evolve and become more popular.

As consumers change how they use and engage with social media, marketers must adjust in order to reach their target audience. Remaining at the forefront of social media ensures your strategy is always current and provides you with a competitive advantage.

How has social media marketing changed?

A brand can no longer cross-post generic content across all of their social media channels and expect it to produce results. Furthermore, social media content cannot be blatant advertisements – consumers are immune to this type of marketing.

You need to stand out and be memorable on social media. Today, a results-driven social media marketing strategy must include the following:

  • Campaigns on the platforms where your target consumers' attention is present

  • Highly creative content specifically created for each platform

  • Unique ways to encourage UGC (user-generated content)

Let's dive into a half-dozen ways that new-age social media is changing and what you need to focus on to drive the best results for your business or brand.

Video content is providing the best brand engagement opportunities

Video content is preferred by social media users. As a brand, you have to create content in the format your audience prefers.

While you might think traditional Instagram image posts are more fit for your business, you have to go where the engagement opportunity is. Currently, that is established social media channels that have specific functionality for video content (Instagram, Facebook, YouTube), as well as video-focused social networks like TikTok and Triller, which are newer. 

E-commerce in-app opportunities continue to evolve

In 2021 look for e-commerce to become even more prevalent on social media, and more in-app purchase options becoming available. Instagram's latest app update placed its "Shop" feature icon where users previously accessed their notifications.

While it was a move that many considered a bit sneaky, it's a clear sign that Instagram is full steam ahead when it comes to expanding its Shops feature. Watch for TikTok to also roll out in-app e-commerce shortly as well.

Earlier in the year, TikTok announced a partnership with Shopify, the world's largest e-commerce platform, to allows its merchants to seamlessly advertise on TikTok. The most interesting piece of information from that announcement was the mention of the two companies working to release new in-app features down the line.

Influencer marketing must now be on-brand and authentic

In the early days of influencer marketing, before it was even referred to as "influencer marketing," you could drive insanely high volume simply by having an account with a large following promote your product or service in a post.

Social media audiences had never been exposed to this type of marketing, so it converted at high rates. So high that it quickly became the preferred marketing channel for many brands. Several direct-to-consumer brands launched and scaled wildly only using influencer marketing. Fashion Nova is a great example -- a now half a billion-dollar brand that quickly went from obscurity a few years ago, to now having nearly 20 million Instagram followers. They achieved this massive growth by simply outspending any other brand on influencer marketing. 

Times have changed, though, and follower count alone is irrelevant. Microinfluencers who have a highly engaged following perfectly matched to your target audience is the way to go. The way they promote your brand needs to be natural and authentic – holding a product and smiling simply doesn't cut it any longer. 

Long-term brand partnerships with creators who value your brand are by far the most valuable form of influencer marketing. It allows the relationship to evolve, and for the influencer's audience to be introduced to your brand naturally. 

No longer can you simply force your brand down the throat of consumers through any influencer with a big following. Authentic content featuring your brand, promoted by specific influencers who value product or service, is by far the most effective method for results.

User-generated content is outperforming traditional advertisements

According to Jon Simpson in this article, digital marketing experts estimate that most Americans are exposed to around 4,000 to 10,000 ads each day. If you take a minute to scroll through all of your social media feeds, you will undoubtedly come in contact with advertisements, several of them on each platform.

Multiply this by the number of times you open these apps, and you can see how that estimate is spot-on. Consumers are becoming more immune to traditional advertising every day. They can smell a hard sell from a mile away, and if you are running campaigns that are too salesy, the results are going to be dismal at best.

UGC, or user-generated content, is a great way to attract brand awareness while also giving you highly effective social proof. A marketing message that features an actual user of a product or service sells better than a creative ad consisting of professional photography and high production-value video.

Incentivize your customers to create UGC for your brand. Create a campaign utilizing a brand-specific hashtag that awards customers with free products, discounts or other special offers. Document the standouts on your social media accounts– it's a quick way to create a UGC snowball effect.

Social media is now a customer service branch

Don't think of your social media accounts as just a selling platform; they have evolved into much more than that. Now, social media is a customer service channel as much as it is a marketing channel.

When a consumer has a question or a complaint, where do they turn? Social media. From Instagram and Twitter DMs to Facebook messages, a large percentage of customer service inquiries originate on social media.

Your commitment to customer service on social media plays a huge role in your brand's success. Consumers love to voice their opinion of brands, both positive and negative, on social media.

Taking the time to make sure all of your inbound customer service requests are handled quickly and satisfactorily can create an army of loyal supporters who will shout you out, tag your profiles and refer business your way. Most CRM platforms have social integrations, making it easy for your customer service team to monitor messages sent in via your social media accounts.

There is now more legalities and regulatory control

Social media isn't the free-for-all it once was. Now, there is increased regulatory control, and brands need to also be well aware of legalities regarding influencer and partnership disclosures. Simply put, you have to be extremely transparent when marketing on social media.

The Federal Trade Commission has specific disclosures for social media influencers. If you are hiring influencers, you need to make sure they follow them, as their failure to do so can come back to bite you. Also, as the FTC probes into the collection and use of consumer data, it is likely to change how many data points you can use in the future for targeting paid ads.

The reach and effectiveness of paid ads in terms of the ability to laser-target audiences could be changing very soon. Facebook has already addressed how Apple's iOS 14 update may impact its advertisers. If paid ads on Facebook and Instagram are a major piece of your marketing pie, I highly recommend that you spend time testing and perfecting different organic strategies.

How Double-Entry Accounting Works

Posted: 20 Jan 2021 05:30 AM PST

While some companies use the same ledger to track all of their expenses and profits, others use a method – double-entry accounting – that provides a more holistic view of their finances. Double-entry accounting looks at more than just what is coming in and what is going out; it looks at the different areas that money is coming in and out of.

What is double-entry accounting?

Double-entry accounting is based on the principle that a financial transaction recorded in one place as a credit (cash earned by your company) must elsewhere be recorded as a debit (cash lost by your company). Think of it as Newton's third law but applied to accounting: All transactions have an equal and opposite transaction. You can also represent double-entry accounting with the following mathematical equation:​             

Assets = Liabilities + Equity​           

Double-entry accounting, despite not being a mandatory accounting method, is used by many small to midsize businesses. If the accountant you've hired for your company has included a credit and debit column in your general ledger, your company is likely already using double-entry accounting. You're also likely using double-entry accounting if cash isn't your company's only account and instead you have a chart of accounts that paints a complex, detailed picture of your company's finances.



Editor's note: Looking for the right accounting software for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

 

How does double-entry accounting work?

Double-entry accounting may sound needlessly complicated, but it's quite straightforward – in fact, it's the very basis of modern accounting. Under double-entry accounting, every time your company makes a transaction, the transaction is recorded in the left-hand credit column if its value is positive. Negative transaction values are recorded in the right-hand debit column.

Your cash account isn't your only business account that gets this treatment – all your accounts are structured as such. Since double-entry accounting means that a debit in one account is a credit in another account and vice versa, the total value of all your accounts during a given period – a sum known as your company's trial balance – should be zero. [In need of accounting software? Check out the options we recommend for small businesses.]

Examples of double-entry accounting

Let's say you own a company that sells phone cases for $30 per case. If your company sells two phone cases, your bookkeeper or accountant will record a credit of $60 ($30 x 2) in your cash account. Your bookkeeper or accountant will also record a $60 debit in your inventory account, because with two fewer phone cases in your inventory, your inventory's cash value has decreased by $60, the value of two phone cases. (Note that in this example, since both cash and inventory are assets, their equal but opposite values balance the double-entry accounting equation.)

Another example may make double-entry accounting even clearer. Let's say that each phone case in your inventory costs $25 to acquire, and you initially ordered 50 phone cases. That means you spent $1,250 on your inventory. However, since you used your business credit card to buy the cases, you have $1,250 in your loan account. In your assets, your $1,250 increase in inventory is recorded as a credit, and in your loans account, your $1,250 loan is recorded as a debit. As such, in the double-entry accounting equation, your $1,250 assets debit balances your $1,250 liabilities credit. When you repay this loan, you debit your loans account $1,250 and credit your cash account for the same amount.

For our final example, let's go back to the invoicing scenario posed earlier. When you send an invoice to a client, the value of the invoice is recorded as a credit in accounts receivable but a debit in your sales account. Once your client pays the invoice, you record its value as a credit in your cash account and a debit in your accounts receivable account. As such, you'll have the cash you need to pay your team – and when you pay these wages, they become a credit on your wages account and a debit on your cash account.

Types of accounts

In the above examples, you may have noticed several different transactions – cash from a customer to your company, cash value lost in inventory, and money borrowed from a creditor. In double-entry accounting, all transactions can be grouped into one of seven different types of accounts:

  1. Assets: What your company owns, including cash, accounts receivables and equipment
  2. Liabilities: What your company owes, including accounts payable and loans
  3. Equities: The amount of your company's value tied up in shareholder stocks
  4. Revenues: The amount of money your company earns from selling its products or services
  5. Expenses: What your company spends to cover its operations, including rent, utilities and employee wages
  6. Gains: what your company earns by selling an asset
  7. Losses: what your company loses by selling an asset

Benefits of double-entry accounting

There are myriad reasons why most businesses use double-entry accounting. Among the benefits that accompany double-entry accounting are:

  • A thorough understanding of your finances. Since an amount recorded in one account is recorded in another account, double-entry accounting gives you a complete picture of your company's finances. If your cash flow is lacking, you'll see where your cash is tied up, be it accounts receivables or overspending on supplies.
  • Fewer accounting errors. Since double-entry accounting by definition requires the total value of all your accounts to equal zero, you'll know you have accounting errors if your total value isn't zero. Granted, finding the sources of these errors may take work, but in double-entry accounting, errors are usually less frequent, given the clear credit and debit columns in each of your accounts. Plus, under double-entry accounting, you'll know to always pair a transaction with an equal and opposite transaction elsewhere. 
  • Easy conversion into financial statements. Through financial statements, you can quickly see your company's assets, liabilities, equity, cash flow, profit and many other metrics vital to your financial well-being. Double-entry accounting facilitates the creation of these statements, since the value of your company's accounts will always be apparent. And these statements are good for more than your own internal use: They are beneficial when you are seeking debt or equity financing. 
  • More transparent finances. The credit-debit columns and numerous account types fundamental to double-entry accounting give a comprehensive view of your company's spending and earning. As such, your company's finances will be clear to you, your accounting team and any funding sources who ask for your financial statements. 
  • The ability to hold yourself and your clients accountable. Double-entry accounting clearly indicates when your clients owe you money and when you owe money to employees or vendors. That means more accountable business practices for you and everyone you work with, since you'll know when to ask for money you're owed and pay other people.
  • It's the common standard. Most businesses use double-entry accounting. Investors, banks and any parties you're working with toward a merger or acquisition may feel less inclined to work with your company if you use single-entry accounting.

What is the difference between single-entry and double-entry accounting?

Single-entry accounting ledgers represent check registers where each transaction gets one entry. Just as a check deposit or a withdrawal from your checking account is recorded once, in single-entry accounting, you don't record equal and opposite entries for a transaction. Instead, transactions are recorded as positive or negative values in one column.

Alternatively, in single-entry accounting, you can create two separate columns for revenue and costs. However, without recording equal and opposite values of all transactions in another company account, you're still using single-entry accounting despite having two columns.

Although double-entry accounting is far and wide the business standard, you can probably get away with single-entry accounting if you're an independent contractor or sole proprietor. That's because, as a one-person operation, you likely have fewer categories to separate expenses than a multiperson business. Additionally, as a one-person operation, you might not have the time to create a chart of accounts and add transactions to two accounts at once. You might thus prefer the simplicity of single-entry accounting.

However, if your work involves storing inventory, paying expenses that facilitate your work or waiting long periods for invoice fulfillment, double-entry accounting may still be better for you. As the above details show, there are numerous reasons double-entry accounting is the standard – in using it, your company could benefit substantially.

Insider Attacks and How to Prevent Them

Posted: 20 Jan 2021 04:30 AM PST

When it comes to cybersecurity for your small business, not all threats come in the form of a faceless hacker feverishly working to gain access to your sensitive data. A growing number of threats come from within a company, whether the attack was willfully perpetrated or not. By understanding the potential risk of an insider attack and recognizing any potential telltale signs, you can mitigate those risks and keep your data safe.

What is an insider attack?

An insider attack, or insider threat, is an instance in which someone with legitimate credentials into your business's networks and assets uses their privileged access to cause harm to the company. The Cybersecurity and Infrastructure Security Agency defines insider threats as data breaches that can include "sabotage, theft, espionage, fraud, and competitive advantage ... often carried out through abusing access rights, theft of materials, and mishandling physical devices." Under that definition, an insider threat can happen for many reasons through a range of methods.

While current employees tend to be a common cause of such an intrusion, anyone with access to your company's data poses a security risk. According to a 2020 Ponemon study, the number of insider threats has grown by 31% in the last two years, with costs inflating to $11.45 million. The study also found that the frequency of such incidents spiked by 47% during that same period. With companies now more reliant on digital communications and remote access of sensitive data than ever before, insider threats are likely to become a more frequent and costly occurrence.

Editor's note: Looking for the right employee monitoring software for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

 

What is the difference between an insider threat and external attack?

While internal attacks stem from someone within the company already having access to the more sensitive areas of your business, an external attack occurs when someone outside of your organization tries to gain access. While both types of intrusions can happen in similar ways, like phishing and malware, the big difference is who's perpetuating the attack.

What are the different types of insider attacks?

Just as there are several ways in which an outsider can gain access to your company's systems, there is more than one way for an insider attack to take place. In nearly every instance of an insider attack, the biggest differentiator is whether your employees, former employees, partners or contractors are in on it from the start.

"The greatest risk to organizations remains the human component of security," said Kon Leong, CEO and co-founder of Silicon Valley data governance company ZL Technologies. "While it is possible to lock down permissions and track data movement against all programmatic access, ensuring that humans don't behave maliciously or negligently has become an even bigger concern now more than ever."

According to a 2019 report by Verizon, the five most common types of insider threats small businesses face are "the careless worker, the inside agent, the disgruntled employee, the malicious insider and the feckless third-party."

Kevin Parker, co-founder of vpnAlert, said these attacks can also be classified as the following: pawn, goof, collaborator and lone wolf. In each of those instances, different methods of attack are taken, different individuals may be involved and different steps could be taken to stymie such threats.

Pawn

In the instance of a pawn insider threat, the individual involved usually has no idea they've been targeted or are causing the problem. In most cases, this happens when an employee has fallen prey to a malicious insider attack from an outsider, either through a phishing attempt or social engineering. If this happens, it often means that an external threat has gained access to the pawn's credentials, causing the employee to become a compromised insider.

Goof

When employees fail to follow security measures, leaving your company open to external threats, Parker said they fall into the goof category. Purposeful skirting of company guidelines could be the result of trying to make things more convenient for themselves, or they just don't want to follow the rules, making them a particularly negligent insider. Such an act could be as simple as storing company login information in the cloud, which would be easier to access but significantly less secure.

This insider threat, according to a 2020 Cyber Threats Report by Netwrix, has 79% of chief information officers concerned that "users might ignore IT policies and guidelines, increasing security risk." Though they don't cause the problem with any malicious intent, they often end up accidentally making harmful decisions that leave the company exposed, leaving a door open for an outsider to gain access, in the process.

Collaborator

While the previous two instances were the result of gross negligence or some other digital mishap, attacks that fall into this category have the potential to create a large amount of damage.

Insider attacks that feature a collaborator see employees voluntarily working with a third party to intentionally harm their employer. Not only does this leave your sensitive data potentially exposed to your competitors, but this type of threat is also a major vector of attack for corporate espionage, leading to major financial losses.

Lone wolf

This type of threat can stem from an angry employee, contractor or someone with privileged access looking to actively harm a company.

What are potential points of attack?

The following are some methods of ingress that either external forces can try to use to gain access to your company's data or how internal members of your team can cause harm.

Internal hacking

This sort of attack is the result of a person making the willful decision to do things like steal data, leak access or alter sensitive data.

Email attacks

Phishing attempts are a common way for people to get access to someone's sensitive data. When this is applied to the business setting, the damage can be compounded, as now it's not just an individual's data at risk, but the entire organization's.

"Given the number of ransomware attacks occurring in recent years, email-based threats are getting most of the attention today," said Richard Long, a business continuity consultant at MHA Consulting. "Phishing, malware and ransomware are all types of attacks that come through email; providing access through these emails is almost always unintentional."

Ransomware attacks

Much like email/phishing attacks, ransomware attacks are unintentional in nature, with downloaded files often acting as the point of entry. These attacks generally result in a company's system getting locked down by a virus, with hackers demanding a payment before the systems can be accessed again. According to Bitdefender's Mid-Year Threat Landscape Report 2020, there was a "715% year-on-year increase in detected and blocked ransomware attacks."

"These attacks can bring a company to a halt by disrupting access to data, shutting users out of their emails and even jamming up phone systems," said Ara Aslanian, CEO of Inverselogic. "Ransomware attacks have shut down critical organizations like schools and hospitals for days, and disrupted supply chains for weeks at a time."

Mobile and cloud storage attacks

With the increased shift to remote work in the wake of the COVID-19 pandemic, employees have relied on mobile and cloud-based storage. With sensitive and personal data both living in the cloud, it's become easier for that data to be compromised. While the existence of this tech isn't necessarily the threat, since it's usually protected pretty well, the problem crops up when people copy sensitive data from a company cloud account to their personal account for easier access.

"Mobile and cloud storage attacks have the potential to be more potent if an employee needs access to data at home; they may put that data in their personal account," Long said. "This puts this information at risk, as many do not have high security on their home systems and networks."

The level of risk depends on how careful the employee is about keeping their personal cloud storage secure, according to Long.

What are examples of insider attacks?

In recent years, several high-profile insider attacks have made international headlines. While the stories sometimes smack of the type of corporate intrigue or international espionage you'd find in a Hollywood blockbuster or New York Times bestseller, these instances are all actual events that took place:

  • Edward Snowden and the U.S. National Security Agency. Whistleblower and former CIA employee Edward Snowden used his privileged access to smuggle highly classified information in a bid to expose highly invasive NSA activities.
  • Tesla data leaked by "disgruntled" employee Martin Tripp. In 2018, electric car manufacturer Tesla and its CEO Elon Musk fell prey to an insider attack when a former employee, Martin Tripp, allegedly gained access to the "manufacturing operating system" to steal a significant amount of proprietary data, which was then transmitted to an unknown third party.
  • Former Coca-Cola employee causes a data breach. Another 2018 incident saw Coca-Cola dealing with a data breach after a former employee was found to be in possession of an external hard drive full of sensitive data. Among that data, according to the massive beverage company, was personal information of up to 8,000 other employees.

How to safeguard your business from insider attacks

There are ways to preempt, identify and stop potential attacks. Though such an intrusion is inherently difficult to recognize as it's taking place, there are ways you can make sure things never get to that point.

Implement employee monitoring software.

There's an entire subsection of business software aimed at protecting your data by keeping tabs on your employees' activities. Through the use of employee monitoring software, an employer can set rules for how data is handled and set triggers that go off when the suspicious activity of a potential insider threat is detected.

"Employee monitoring software can help you spot potential threats by flagging unusual network activity. It can trigger a warning when an employee attempts to access files or databases that are outside of their usual working needs," said Aslanian. "Employee monitoring software can also be used to protect against non-malicious actions that nevertheless expose networks to risk. For instance, it can block access to websites that are high risk for malware."

Establish a "zero-trust" cybersecurity stance.

In many insider attack cases, data became compromised by someone the employer trusted, regardless of whether it was a high-ranking IT manager or someone further down the totem pole. Unfortunately, that may mean that the days of giving someone carte blanche trust over a company's sensitive data are gone.

By taking such a guarded stance, Aslanian said employers should assume that "any device on a network could be compromised and so requires continuous authentication of users." Those users should also be granted the bare minimum access that they need to do their jobs, he said.

Provide cybersecurity training to employees.

Part of the issue surrounding insider threats is that many times, these incidents occur by accident. By educating your employees about the importance of keeping data secure, Aslanian said you can create an additional barrier against internal attacks – especially when it comes to things like phishing attempts.

"It's vital to train and continuously refresh employees on the latest phishing email scams," he said. "These are becoming increasingly sophisticated, often spoofing names of senior managers or suppliers to dupe workers into clicking on links. I've even known chief IT officers to fall for these types of scams."

No comments:

Post a Comment

Cutting in line? American Airlines' new boarding tech might stop you at now over 100...

NEW YORK (AP) — Sneaking a little ahead of line to get on that plane faster? American Airlines .  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌...