With Work-from-home happening at an all-time high, it is more important than ever for you to reinforce your cybersecurity protocols with your employees. If you haven’t thought about this before or have been too intimidated to take on the task, it is best to start with something simple.
One of the best means of increasing cybersecurity awareness across your company is to make sure everyone is aware of the basics. The more you raise awareness and communicate about the issues, the more cybersecurity becomes part of your corporate culture.
One of the most basic cybersecurity attacks is one I’m sure everyone has seen (or should have): Phishing.
Phishing is a cybercrime in which targets are contacted by email, telephone, or text message by somebody who is posing as a legitimate contact to lure the target into revealing some information or opening some document designed to cause harm. The fake legitimate-looking contact is posing as a company vendor, a co-worker or supervisor, a family member, or anyone else you might otherwise place in a position of trust.
How Phishing Works?
Often the target gets an email or text message which seems to be from someone they know, and the message asks the target either to click on a link, send a password, a bank account number, or other sensitive or personal information.
The message often is designed to put the target under some pressure (such as to get information back to your boss, help reopen a locked account, etc.). The message is that either something urgent is needed, something bad has happened, or is about to happen, or if you do not act, you will lose an opportunity for something good. Some urgency, pressure, or need to help a person in authority is almost always in play in most phishing scams.
If the target clicks on the provided link, scammers can install ransomware or other programs. They can take control of your machine and download a host of sensitive information.
You can be locked out of your machine and you can put at risk your company’s entire network.
The communication looks real at first glance, but upon closer inspection, some flaws begin to emerge.
Remember, it is not that difficult to emulate logos, to create fake email accounts, or pretend to be someone the target would know.
What You Can Do
With a little training and general awareness, most people can learn to spot a scam. The key is to be sure that the target knows phishing scams are happening and knows what to look for. There are several things anyone can do to uncover phishing scams. These include:
Check it out. The suspect email is providing a phone number or email address to contact.
- Do not assume any information in an alert email is accurate. Look it up on your own. Another simple trick is to hover the cursor over the sender’s email address. Most email programs will show the email address of the sender. Compare that to the email address you would expect. Is it the right name? Is it being sent from the same company that claims to be sending the email? Is the extension one you would expect (i.e., is it from the .com extension that you know the company has, or does it perhaps say .co instead?)
- Talk to someone. Get a second pair of eyes on anything questionable. They may see something you don’t or have experience or knowledge about the supposed sender that you don’t. Two minds are almost always better than one.
Use another means of contacting the sender. I received a text last week from someone I hadn’t heard from in over a year. They were asking about a family member. Instead of responding, or ignoring the person altogether, I knew that I was friends with this person on social media and reached out to them through a different platform asking if they had texted me. The same thing works if you get an email from a vendor that seems questionable – pick up the phone and give them a call.
- A good habit is to move away from the means of communication used in the suspect contact. Do not send a reply email, pick up the phone, and make a call. By the way, never use a phone number listed in the questionable communication; look it up independently.
- Give the email in question a careful read. Look for unusual grammar, misspelling, generic greetings, strange signature blocks (containing a lack of information, for example), suspicious attachments (“Your invoice is attached”), or threats (“respond or we will block your account”)
Once most people have seen a few of these, spotting the next one becomes much easier. As you get more experienced, the letters JDLR become more relevant to you when something “Just Doesn’t Look Right”.
How to Protect Yourself & Your Business
You can dramatically increase company security by doing the following:
- Back-up your data. A lot of fairly “simple” things can be done that help quite a bit. First and foremost, you should have a system that regularly backs up your data (and make sure that those back-ups are not done through the network). In case you fall victim to a phishing attack and hackers access your network, having an off-sight, preferably cloud-based back-up will allow you to restore your data.
The back-up also needs to be a regular part of your routine business operations. You should schedule and conduct daily (middle of the night) back-ups regularly.
How much has your business changed in the last month? Would a back up with data that is a month old be helpful? How much would you have lost in the interim? How many new employees did you hire? Payroll information? Taxes? New Accounts? Thirty days is a long time when it comes to data.
Daily back-ups can be easily accomplished and set automatically. Better still, once you create the daily back-up system, regular checks need to be happening to confirm they are taking place. Often your system administrator can get an email confirming that the daily back-up has taken place. Make sure those emails are being read and confirmed by more than one person. We know of an instance where the admin was getting emails and not reading the actual email. Had he done so, he would have seen that the emails were telling him the back-up failed. Sure, the email titles should have raised a better alert, but the warning was delivered and was ignored. Suggestion: the network administrator’s supervisor should regularly ask to see the emails just to confirm. The administrator is more likely to stay on top of things when he or she knows that the supervisor is going to ask about it regularly.
- Keep all security up to date. Make certain that updates on all machines (desktops, laptops, connected smartphones, tablets, etc.) are receiving and installing the latest software updates and patches. Everybody hates that an update is downloading and taking up valuable time (though people always complain the most when it happens when they are leaving work, not as much when it happens at the beginning of the day). Often the updates are adding or improving security features created because of attacks on other victims. Some updates happen automatically, some must be set up and scheduled.
- You can also consider email authentication and intrusion prevention software and adding other security features that should make phishing all the more difficult to accomplish.
- Alert your staff. By regularly talking about phishing and cybersecurity, it becomes part of the culture, and your protection improves naturally.
- There are plenty of education and testing services that help you to keep getting the message out and making it fresh.
It’s important to remember that in the work-from-home environment that is currently growing at unprecedented levels a lot of change is taking place with how employees communicate.
That change can create a vulnerability to your systems. However, you can turn that vulnerability into an opportunity by using it as an ideal time to step up your cybersecurity education and awareness programs.
_____
Wayne Hippo is an owner and Managing Partner of PS Solutions, a software development and consulting firm with offices in Altoona, PA, Pittsburgh, PA, and Wilmington, NC.
You can reach Wayne at whippo@pssolutions.net