Protecting your clients and your business
As the current level of staff turnover remains high across most industries, we thought it would be a good idea to look at how you can continue to protect your clients and your business reputation by carrying out some basic steps. This is not about GDPR – by now most agents are fully aware of their responsibilities as far as Data Protection is concerned – this is about having some basic procedures in place to protect your business.
Therefore, in no particular order, here are 5 things you should have baked into your business:
1. Individual user logins
As an owner, you need to set the right tone from the start.
It may seem over-the-top but, as tempting as it is to allow staff to use one of their colleagues’ usernames and passwords, it sets a very bad precedent. If it’s OK to use someone else’s credentials to edit a mobile number, maybe it’s OK to do the same for bank account details?
By letting staff share login details you immediately lose sight of who’s doing what on your systems and open the potential for landlord and tenant details to be copied or in the worst case used to carry out identity theft.
Software providers recommend changing your password every 60-90 days. We know it’s impossible to set and remember strong, unique passwords for every different system in your life, which is why we recommend using a password manager.
A password manager stores all of your passwords for you – you only need to remember one to gain access. It also helps you generate new, random secure passwords – so no more Fido123!
Regular password updating – Fix a regular date in the calendar (maybe the first day of every quarter) so people get into the habit of doing it cyclically.
3. Offboarding policy
Whether it’s a planned exit or one that comes out of the blue, it’s essential to update your systems as quickly as possible when a member of staff leaves. Keeping a record of who has access to what it makes this an easy process when the time comes.
In the case of a staff member working out their notice, it’s probably worth limiting their access to certain confidential information as long as it doesn’t affect the ability to do their job while they’re still with you.
As well as logins to bank accounts, the software system and credit referencing portals, this process may also need to stretch across various other things connected to the individual. The higher the staff turnover levels in your company, the more important this process becomes.
4. Keeping offline documents secure
Despite all this paperless technology, you will probably need to keep certain client information in hard copy. If you have photocopies of passports, utility bills, bank statements, or anything else that could theoretically be pieced together to steal someone’s identity, you must make sure these documents are stored somewhere safe and secure and never left out on a desk.
When you no longer have a legitimate reason to hold on to documents then return originals and securely shred copies.
Research shows* that at least 82% of cyber security attacks have been caused by human error, particularly through phishing scams. For example, cybercriminals pretending to be from a business’s IT department will get an employee to hand over all sorts of security information under the pretext of fixing an error on their pc. Another phishing method is to send an email from what looks like a reputable or recognised company to trick the recipient into installing malware by clicking on a malicious link or opening an unknown attachment. Examples include emails with quotes attached or with a link to an unknown website, etc.
Ultimately the most valuable defence against phishing and other cyber-attacks that prey on human error is training. Make sure your staff are aware of the dangers and who to contact if they have any doubts about a caller or an email.
Providing regular training opportunities in general is also a good way to show that you are interested in your employee’s future, and therefore reduce the likelyhood of them wanting to leave.
Human error is unavoidable, but there’s no excuse for bad processes or a lack of contingency plans. No individual should have more control than they need over certain areas of your business records. Always have at least a basic backup plan in case someone is unavailable or decides to leave.
[* source: 2022 Verizon Data Breach Investigations Report]
* * *