Train Employees to Avoid Inadvertent Cyber-Security Breaches
How much do you know about cybersecurity? Small business owners often lack the resources to enact a strong defense against cybercrimes and take for granted that their IT systems are relatively safe.
To better understand some of the common ways employees can unwittingly become a conduit for hackers, take the following quiz. This quiz was adapted from a resource offered as a public service by AFCEA, a not-for-profit association of data security professionals.
True or False
1. Mobile applications downloaded from major brand online stores are generally safe.
False: These stores may try to vet mobile applications for malicious behavior, but there’s no guarantee they’re safe. Some online stores may not assess the legitimacy of an app at all, or not adequately.
2. The address or URL you see in the link is always the actual website to which you’re being directed.
False: Masking the real website address in links is a common way cybercriminals use to fool unsuspecting victims into visiting malicious websites. To see where a link actually leads, let your mouse hover over the link without clicking on it.
3. What you or your employees do on social media could have a negative impact on you or your organization.
True: Identity thieves, robbers and other criminals are adept at piecing together data bits from various social media sites, and using the information to plan online and physical attacks.
4. Your vendors maintain strict cybersecurity procedures.
Possibly false. In other words, don’t count on it. When choosing vendors, ask how they protect their networks and train employees, and what kind of background checks they perform. Some of the large companies that have been recently hacked were infiltrated after thieves first broke into the databases of their vendors.
5. Most links to “phishing” websites are now sent through social media instead of through spam emails.
True: Social media is now the preferred phishing hole. Let’s say your employee, while on a company computer, visits a social media site and clicks a link that appears real, but which actually connects to a phishing website. That action may open a door that allows malicious software to be downloaded onto your computer, or which may be used to steal the employee’s username and password. This in turn can enable criminals to break into your system.
All it takes is for one employee to click on the wrong link and your business could be in jeopardy. After a thief hacks into your system, the rewards can be great, so there’s a powerful motivation to keep trying. To guard against security issues and minimize risk, here are some tips to share with your staff.
- Realize that a familiar logo may be a copy used to create a facade of credibility. Phishers can easily cut and paste graphics from legitimate websites to make the email appear genuine.
- Watch carefully for erroneous messages, for example, an email containing a fake purchase confirmation. The message directs the user to click a link “for more information.” Such links and attachments may allow thieves to gain access to your passwords or install malware on your computer.
- Know that personal details about you in an email don’t necessarily indicate the sender is legitimate. Determined cybercrooks are patient. They gather information about you and use it to create the illusion of familiarity and win your trust.
- Determine whether the sender’s address and name matches that of the alleged sender. A common tactic is to take an email address and slightly misspell the name or add extra letters. An unwary eye might not notice this variation.
- Phishers often use threats or warnings to make you respond quickly without taking a moment to consider the legitimacy of the email. A common scam is to tell the recipient an account will be locked for nonpayment unless immediate action is taken.
- Notice the mechanics of the message. Internet crooks aren’t known for their ability to spell or use grammar properly. They generally don’t employ proofreaders. Here’s an example from an actual scam message, which ended with this call to action: “please clicking on reply.”
Cyber Tips for Road Trips
Employees who travel for work need to be on high alert for hacking attempts. This is especially true if they travel to a foreign country that might have a high priority on looking for commercially sensitive data.
Don’t expect any protection from hackers — including the government of the country you are visiting. In some countries, you can assume there’s a good chance your digital communications will be monitored.
If you think there may be a high degree of risk, take only essential digital devices. Otherwise, back up all sensitive data, then delete it off the devices you’ll be traveling with. Use full device encryption for sensitive data, set up strong passwords and make sure all of your applications are up-to-date. Also, you can register for the U.S. Department of State’s “Smart Traveler Enrollment Program” to receive travel alerts regarding your destinations.
Safe but not Secure
Never assume your digital equipment is secure just because it’s locked in a hotel room safe. Safes can be opened by certain hotel employees if they’re determined to steal data from you.
Public computers in business centers, Internet cafés and kiosks are anything but secure, and shouldn’t be used for any sensitive business or personal communications.
When you get home, be sure that your antivirus software is current and run a full system scan. It might also be wise to change all your passwords and throw away any removable media you bought or used on the trip.
Assume the Worst
When it comes to the security of your company’s databases, you can’t be too careful. In the interest of safety, you need to assume mistakes will be made. That’s why it’s critical to go over computer security issues with your staff regularly, alerting them to new scams and providing tips for avoiding them.
Consult with Professional Advisors
Jill has been with Lumsden McCormick for nearly 15 years, joining the Firm upon graduating with honors from the University at Buffalo. She is a principal in the auditing and accounting department performing attestation services. While her focus has been in the health care industry, Jill has a broad range of skills applicable to commercial enterprises. She has an understanding of the underlining concerns all businesses face related to technology controls and data security and is certified in fraud prevention, detection and deterrence. Her ability to perform audits and risk assessments has only been enhanced with her certification as a Certified Fraud Examiner (CFE) by the Association of Certified Fraud Examiners and as a Certified Information Technology Professional through the American Institute of Certified Public Accountants (AICPA). Jill is a member of the AICPA New York State Society of Certified Public Accountants (NYSSCPA), NYSSCPA Technology Assurance Committee, the Association of Certified Fraud Examiners (CFE) and the Information Systems Audit and Control Association (ISACA).