What Do You Need to Know About Business Security?
You need to know as much as possible about business security even if you don’t own one. As an employee you can be a part of the business security! These tips are even useful for the general public to make sure they aren’t being targeted by hackers and scammers. As long as people use e-mail, cyber-attacks will continue to occur. Click here to jump to the real life internal business security test! Here are some examples that many cyber-attackers use to breach your company or personal information:
Employees and E-mailing as a Vulnerability
How do staff threaten business security through phishing? The cyber-criminals favorite tool applied to our most frequent form of communication – E-MAIL. In its 2016 Internet Security Threat Report, Symantec estimates there were a staggering 190 billion emails in circulation during 2015. As long as email reigns supreme, get used to cyber criminal’s email attacks. You’ll need to educate yourself and your employees if you hope to stay one step ahead of this threat.
Dangers of Social Engineering
Imagine your accounting staff received an email labelled accounting. Asking them to open and review an attached file. The email comes straight from the chief operating officer’s email address! The body of the email addresses the employee directly, and there are no obvious signs that anything is wrong. The employee opens the attached file and clicks on the PDF. Just like that, a cyber criminal has found a way into your servers with an encryption virus. From that point, malware installations will compromise your company’s file server. Demanding a large ransom to un-encrypt your files.
This is an example of as spear-phishing attack; a sophisticated form of phishing. The cyber criminal tricks the employee using a personalized email . The fact of the matter is, criminals are getting better at their craft. They collect publicly available information from social media and company websites to learn more about you and your staff. Every bit of information helps them customize their malicious emails and make these messages appear more legitimate.
Business security is so important and the attackers are very clever and you can out smart them at their own game. Make sure your employees are not a security threat!
Social Engineering is nothing new
“This isn’t a new phenomenon”, Chartrand says – “The only difference is the technology used”. As a veteran during the cold war in Germany before the internet, the Russian intelligence community would collect information on me and my fellow soldiers in Baden-Baden. They did this one piece at a time by paying local dentists, lawyers, doctors and vendors for it. As well as in person at carnivals, shopping centres, and guest houses. This procedure was painstakingly slow and took years of hard work, and lots of expensive resources”. The internet sped this process up dramatically and made it much cheaper and easier.
Instruct your employees to always think before clicking or downloading links and materials – especially PDF files. If they’re not sure about an email, call the sender or email them and confirm.
Creating a False Sense of Urgency
Another spear-phishing attack example is being pushed into an urgent situation forcing quick resolve. Train your staff to remain cautious about clicking on links, especially when the sender creates a sense of urgency in the message. Be suspicious of emails that suggest you must “act now” since cyber criminals frequently tap into this vulnerability. Employees should keep a sharp eye out for misspellings or slight differences in the sender’s domain address. Remember the direct approach is best: Contact the sender offline to confirm the claims are true.
Addressing the Threats
According to the Anti-Phishing Working Group’s (APWG) Q1 2016 Phishing Activity Trends Report, there were more phishing attacks in the first quarter of 2016 than in any other three-month period since the organization began tracking data in 2004. The organization also observed an overall 250% increase in the number of phishing websites from October 2015 to March 2016. It’s critical for business owners and employees to take proactive measures.
An Ounce of Prevention is Worth a Pound of Cure
Prepare a phishing exercise to test your company’s knowledge and attack preparedness. This low-risk approach invites conversation with your staff and provides opportunity for education, awareness, and training.
This Real Life Business Security Experiment Will Test Everyone:
Purchase half a dozen inexpensive shiny USB sticks, copy a word document on it stating something like , “You have just compromised this company and its security, this stick may have contained an encryption virus, please contact ….”, then throw the USB sticks on the ground in front of your business and see who inserts this stick in their work computer, and reads the document.
Set Standards Around Sharing:
Some staff might not be aware of which information is unsafe to share via e-mail or in a restaurant such as middle names, birthdays, company and personal information. No one should ever reveal personal or financial information, even if the sender is legitimate. Never share passwords, regardless of the situation.
Think Before You Click:
Train staff to exercise caution and to be suspicious of clicking on links or opening attached files. When in doubt, call the sender directly to double check. Have Ad Blocker Plus installed on all computer browsers so that you can limit Popups and possible temptations.
Remember Security Awareness Training Is Essential for Small Businesses
E-mail attacks will continue as long as businesses use email to communicate. Encouraging employee education and raising awareness empowers us all to play a role in preventing criminals from exploiting company or personal information.
Mike Chartrand C.E.T. is a security consultant at A laptop Shoppe in Calgary, Alberta. He started his career in 1979 in the Air Force and subsequently served during the Cold War in West Germany. Chartrand developed his business which started in 1994 in Calgary. For more information or security implementation in your business feel free to call Mike at 403-274-5190.
