What An Office Manager Needs to Know About Cyber Security

As an office manager, cyber security might fall by the wayside in your day-to-day business operations. However, it’s incredibly important to know how effective cyber security best practices can help your company and prevent any potential data breaches or cyber-attacks. 

While your in-house or outsourced IT department may set security protocols and policies, many cybersecurity responsibilities are left to the office manager. We’ve compiled a list of nine things every office manager needs to know about cyber security. Let’s dive in.

1. Inform New Employees When Onboarding

Let new employees know how serious you are about security management during their very first day of orientation. This is your first chance to review all cyber security policies and reinforce the best practices you expect from Day 1.

However, education shouldn’t necessarily stop after the employee’s first day. Schedule regular cyber security training in your company calendar to review best practices, like password management and basic internet safety, and require staff to attend. Additionally, maintaining a continually updated list of unauthorized software and websites that your staff always has access to is key. If new programs or websites get added to the list, inform others of the change through a companywide notice.

2. Order IT-Approved Hardware

If ordering computers and other hardware falls under your list of responsibilities, make sure the products you’re buying come from a recommended IT source with high-quality devices. If your company doesn’t have an approved source, work with your IT experts to identify proper choices. Depending on the size of your company, your new employees may need secure devices to help them complete their work, so order early to ensure you have everything you need on time.

3. Keep Hardware and Software Up to Date

Hardware is important to keep current, but what do you do with your old computers, printers, laptops, and other devices after they’ve outlived their office life? If you find yourself recycling your hardware, ensure all data has been removed before you retire any device.

A clear policy on how to initiate data wipes on a computer protects employees’ data, privileged information about the company, and potential confidential client notes from falling into the wrong hands.

4. Determine Access Roles

The process of cyber security management starts with setting the right tech policies, but you can also make sure employees aren’t accessing information they shouldn’t be by limiting their digital reach.

According to Egress, human error accounts for 62 percent of data breaches, and something as simple as having a weak, easy-to-guess password or mistakenly clicking on a phishing link opens your organization up to massive security risks. Assigning access roles will help limit the information your staff could unintentionally leak. 

Keep an organization chart of who should have access to which files and folders, and update it as needed for senior management and the IT department.

5. When Employees Leave, Terminate Their Access

Internal threats can quickly morph into external threats when employees leave a position feeling unsatisfied or are fired. Make it a priority to contact your IT as soon as the affected worker’s employment ceases to remove their access to anything on your network. By the same token, initiate a quarterly sweep of your system to terminate any accounts of former staff which may have slipped through the cracks during the initial system purge.

6. Know You Will Be a Target for Cybercriminals

When most people think of high-value targets for cybercriminals, they typically associate them with C-Level employees. And while they indeed are high-value, they aren’t the only ones or the most opportune ones. 

Your level of access as an office manager makes you a prime target. Office managers usually have access to a lot of sensitive data—things like invoices, billing information, and personnel data. Additionally, regular parts of your job duties make you a target—especially if you handle things like billing, shipping, and receiving. 

Fake invoice notifications and shipping notifications are two of the most popular forms of phishing. These types of phishing emails are typically used to spread ransomware or steal your login credentials.

If you get a suspicious-looking email like this and need to check it, don’t open any attachments or click on any links. Instead, open your browser and go to the website to log in from there. 

You can also try calling, but make sure you are calling a number you know is a valid phone number. Phone numbers can easily be faked in emails.

7. Phishing Scams Can Happen Over The Phone

These phishing attempts can sound like anything, but they almost always involve someone trying to get sensitive information or money from you.

Most of the scams involving money are people imitating an authority figure or a company telling you something is wrong and that they need money to make it right. More often than not, these people will ask you to pay over the phone. 

Oftentimes, the payment requests come in the form of gift cards. Some popular variations include:

• An entity pretending to be Google, saying there’s something wrong with your Google Maps listing (Google will not call you for this)
• Someone claiming to be Microsoft and saying you are in the process of being audited (Microsoft does periodically audit companies, but they typically don’t call—check in with your IT or MSP for this one)
• Someone claiming to be the IRS or a local law enforcement agency, saying your company (or you personally) owe a fine and if you don’t pay, you’ll be arrested

Sometimes, they’re trying to trick you out of information, rather than trying to trick you out of money. These scams can be more difficult to spot. Another common scenario is the scammer pretending to be a mortgage company and asking you to “confirm” an employee’s social security number and employment status (do NOT give out this information.)

8. Double-Check Before You Pay Anything—Even Regular Bills

If you process wire transfers for your company, you must have a strict policy for how each invoice will be requested and paid. A common way for bad actors to steal money is to pose as an upper-level executive and request an urgent wire transfer from a lower-level employee through email. It’s a social engineering ploy to get you to act without thinking.

Even the simple act of paying your vendors has an element of risk. Cybercriminals are now targeting regular invoice payments. Cybercriminals are pretending to be vendors and telling real customers that their usual payment method has changed. Then, they’ll send a new link (like an ACH payment or new credit card link) and tell the customer they need to pay their invoice.

If someone is telling you to use a new link to make a payment or requesting an urgent wire transfer, always get a voice confirmation first—no exceptions, no matter how in need it appears. 

9. Having the Right Cyber Security Tools and An Abundance of Caution Is Essential

A big chunk of an office manager’s responsibility is to act as a gatekeeper. You hold access to upper-level management in your organization and possess the keys to sensitive data. In cyber security, the gatekeeper role also means playing a large role in keeping your company safe.

You will need to exercise caution and be more suspicious than the average person. At times, this may feel ridiculous and potentially unhelpful. But cybercriminals know that most people just want to do their job as efficiently as possible and to help others when asked (remember social engineering?). The extra few minutes it takes to verify a simple request can be what saves you and your company thousands, if not millions, of dollars.

Talk to your IT team or MSP and your leadership team about putting the right tools in place to help with cyber security. Multi-factor authentication is a must to protect your and your coworkers’ accounts, even if a cybercriminal cracks the password. If your company uses Microsoft 365, implementing a service like Microsoft 365 Advanced Threat Protection can help reduce the number of malicious emails that get to you.

Next Steps

Managing cyber security in the office can seem like a daunting task, but collaborating with your IT department or the right managed service provider can bolster efforts to keep your company’s data safe and increase your visibility as a go-to resource in the office. Contact us if you’d like to learn more about ways to optimize your cyber security.