How salespeople being sloppy with personal data can kill your business

How salespeople being sloppy with personal data can kill your business

If your salespeople aren’t careful with their personal data, they can leave your business vulnerable.

It’s a lesson I learned from experience.

I was in Mexico City, reached down for my phone—and it was gone.

In a matter of hours, the thieves locked me out of my accounts, downloaded everything from my Google Drive, collected my passwords, and stole $12,000 in crypto.

And I was doing almost everything right.

I used Face ID, two-factor authentication, a recovery email address, and Find My iPhone. But they locked me out of everything and stole my data.

What business data will a thief collect when the same happens to one of your salespeople?

Your business is more vulnerable to attacks than ever before

There’s a reason “cyber incidents” topped the list of business risks on the 2022 Allianz Risk Barometer.

Cybercriminals have learned there’s more to gain from businesses than individuals—and few organizations are prepared for today’s techniques.

Plus, remote work has opened new vulnerabilities. A business is only as secure as its most careless employee's devices and usage habits.

It’s no wonder that the Association of Certified Fraud Examiners found 51% of businesses have uncovered more fraud now than before the pandemic.

And it can happen to anyone. I’ve never been careless with my phone, but mine was pickpocketed and hacked.

Most victims don’t know how to recognize their identity has been stolen, until it’s too late. Criminals can exploit the vulnerability for days before realizing they’ve been hacked, like getting locked out of their account as I was.

No alt text provided for this image

Hollywood’s idea of a hacker—a computer genius breaching firewalls using complex code—is outdated.

Today’s cybercriminals steal information directly from victims using phishing emails, impersonation, or device theft.

Verizon’s 2021 Enterprise Data Breach Investigations Report found that 85% of fraud events involved a human element, and the median cost of attacks with a financial impact was $21,659.

Just one data breach is all it takes for a motivated thief to wreak havoc on your business.

What kinds of risks do businesses face?

A cybercriminal’s dream is access to a business's financial accounts, but any login data is valuable. Verizon’s report showed that 61% of fraud attempts involved stolen credentials.

Customer, employee, or supplier information fetches a high price on the dark web and can be used for identity theft.

Email accounts give thieves the power to reset passwords across dozens of sites.

And access to any company data lets thieves launch one of the most profitable kinds of attacks—ransomware. The average ransomware demand in 2021 was $5.3 million, representing an increase of 518% over 2020.

Today’s ransomware attacks leverage multiple extortion methods. In addition to encrypting data, gangs can harvest and release sensitive information, contact customers, leak the story to the media, launch distributed-denial-of-service (DDoS) attacks, short sell stock, attack operational infrastructure, and more.

Ransomware is profitable, and it’s on the rise. SonicWall saw more ransomware cases in the first half of 2021 than during all of 2020, representing a year-over-year increase of 151%.

Securing your business starts with changing how your sales team handles security. Defense is the best offense when it comes to preventing identity theft. Here are some of the most common issues and how to fix them.

1. Reusing the same passwords

Your sales rep chooses the same password for their email, Slack account, and CRM. The problem is that each of these three services is now as vulnerable as the weakest one.

Imagine your employee gets an email from Slack alerting them of possible fraud and requesting they confirm their password. But it’s not from Slack—it’s a phishing email designed to fool recipients into sharing data.

After using the password to log into Slack, the thief will immediately use the password/email combination on every other relevant site.

The solution is simple: use a unique and complex password at least 12 characters long for every account. And you need to keep those passwords in a secure place, as I learned the hard way.

I had saved all my passwords in Chrome, which gave them access to everything. The right place to keep password data is in a separate password manager.

2. Sharing passwords with teammates via Slack or email

Almost everyone shares passwords the wrong way.

Passwords you send over Slack or email are searchable and may stay in the cloud even after they’re deleted.

It’s a risk even for “unimportant” accounts. A non-financial business login usually contains a username, associated email, and billing details. Accounts with API access to other services, like Zapier, your Google Calendar, or “Log in with Facebook,” open up additional vulnerabilities.

And even if an account doesn’t have valuable information, a thief can buy products or services through your account and resell them.

The safest solution to password sharing is to avoid it by creating separate user accounts. But if you must share a password, use a secure website that makes a one-time link, or use the secure sharing feature of modern password managers.

3. Not using two-factor authentication properly

Two-factor authentication—typing in a code from your phone to log in—can protect even weak passwords. These one-time codes expire in seconds and require a separate device, making them very secure.

But there’s a good chance your sales reps aren’t using this feature correctly.

For example, I used two-factor authentication on my accounts. But once my phone was stolen, thieves had access to the codes.

Your salespeople should start by setting up two-factor authentication on every site that offers it. And whenever possible, they should opt for an app like Google Authenticator, Authy, or Okta instead of a text message code.

Require secondary authentication like a passcode, fingerprint, or Face ID to view the codes. (Surprisingly, this isn’t the default setting on all of them.) This adds an extra security step if your device is stolen while it’s unlocked, as mine was.

And disable message previews. If your locked phone shows a preview with the content of your messages, thieves can use the codes even if they can’t unlock your phone.

4. Not protecting sensitive information on devices

Keep your personal data safe

Cloud services and bring-your-own-device policies come with a downside—every device is a potential gateway to your company’s data.

And few salespeople are protecting those devices as they should. If a phone, tablet, laptop, or hard drive are stolen (and it happens all the time), almost any motivated thief can collect its data.

There’s no simple solution to this problem, but several steps can reduce the risk.

In general, follow the “principle of least privilege.” Give fewer people access to fewer accounts and files, and restrict privileges to the absolute minimum. The less access, the less risk.

Set auto-lock on your devices to as short as possible, ideally 30 seconds or even immediately. That’s how the thieves got me. They stole my phone out of my pocket after I had just used it, well before the five-minute auto-lock kicked in.

Hide all data—especially personal information or financial data—behind passwords. Storage on mobile devices is encrypted by default, but consider extra protection for sensitive applications, like the authentication apps mentioned earlier.

For computers and laptops, you’ll need to encrypt the hard drive separately. Otherwise, a thief can access everything by connecting it to another computer. Follow these instructions for Mac and Windows.

5. Installing USB malware attacks

An emerging threat involves fraudsters sending convincing packages from trusted vendors that include thumb drives, sometimes with instructions to review important information on the drive.

But in reality, the thumb drive contains malware.

The solution is training. Salespeople should know never to plug an unfamiliar device into their computer, no matter what’s promised.

And importantly, set operating systems to auto-update. A recent study showed that 64% of attacks took advantage of bugs patched over two years ago, but on devices that hadn’t been updated with the fix.

6. Falling for impersonation scams

Cybercriminals targeting your business aren’t always after the organization. Sometimes they’re targeting your employees.

Messages impersonating a boss are a new and dangerous threat. These typically involve someone higher-up in the company asking a favor of a subordinate, such as prepaid gift cards with the promise of reimbursement later.

But once the employee obliges, their money's gone forever.

This scam usually preys on employees but can impact the company as well. Someone buying gift cards for an impatient manager could just as likely share the password of a shared account or give away the CVV to the company credit card.

Again, training is the solution. Since I was hacked, I’ve come to learn just a fraction of the ways thieves prey on the unsuspecting. And the best solution whenever you get an unusual, urgent message like this is to confirm on another channel, like calling your boss about a suspicious email they supposedly wrote.

7. Getting phished through spam emails

Phishing requests sensitive data through an email, call, or message purporting to be from a trusted organization, including your own. But the information you share to “confirm” goes straight to the thief.

Phishing is one of the most prevalent and lucrative ways for a thief to get hold of your information. In the Verizon 2021 dataset, phishing and pretexting (impersonation) made up 43% of fraud cases.

In addition to phishing, opening spam emails can download malware, share location and activity with cybercriminals, and more.

Consider investing in a phishing training service. In addition to education about common scams, these programs often send mock phishing emails to help employees spot danger.

You can also use security features from your email system. For example, warning notifications about emails from outside the organization can alert users to lookalike addresses purporting to be internal memos.

The final word on data protection for salespeople

Most salespeople think they and their data are secure. I know I did.

But even if you think you’re doing everything right, thieves are searching for opportunities you and your team don’t even know about. Just one slip-up can hand your most important information over to thieves.

There are simple steps to take to protect yourself and your team. Implement them now before it’s too late.