This year started off with a bang in regards to cyber attacks. No one was immune and the probability is that these types of attacks on businesses are going to become more frequent in coming years. This is just one of the cons of advancing technology however there’s no need to panic. Although cyber attacks will most likely become more sophisticated and frequent, the steps you can take to mitigate these attacks are fairly simple and effective. You just have to make sure to implement them now.
Educate Your Employees
One of the biggest things you can do to help prevent a cyber attack on your business is to educate your employees. According to IBM’s 2014 Cyber Security Intelligence Index, 95% of cyber attacks happen because of carelessness and human error. Cyber attackers depend on your uninformed employees responding to or taking actions on their attempts to get access to your company’s sensitive data. Educating your employees on security protocols and procedures is the single-most important thing you can do to protect your business from cyber attacks and security breaches.
The first part of this education is to have a password security protocol. Most security experts agree that the best password is one that combines capital and lower-case letters, numbers, and symbols and that the passwords be at least 8-12 characters long. It is also recommended that passwords not contain any ‘guessable’ information such as date of birth, nicknames, pet names, or common words spelled backwards. These are all very easy for a cyber attacker to guess and can be done relatively quickly. Setting up your business password protocol so that these standards must be met when changing passwords will go a long way in stopping cyber criminals from helping themselves to your company’s sensitive data.
The second part of employee education is teaching your employees how to distinguish between suspicious emails and those that are actually from reliable sources. Cyber criminals are getting increasingly sophisticated when it comes to making their phishing emails look legitimate and constant education on new cyber attack methods is a requirement to keeping your business from falling victim to them. When educating your employees on detecting suspicious emails there are several tell-tale signs to make known to them.
- Spelling and Grammar Errors: This is one of the biggest giveaways when it comes to phishing emails but many people overlook it. Cyber-criminals are not usually English scholars and tend to misspell words and use grammar incorrectly. This is a huge tip off if the email is supposedly from a big corporation or Federal agency. The bigger the organization that’s supposed to have sent the email, the more likely the email would have had to go through various eyeballs for spell checking and legal checks before being sent. Any spelling or grammar errors in such an email is an excellent tip that this did not happen and therefore is unlikely to be from the corporate entity it says it’s from. Teach your employees to be very attentive to these two things and you will be able to suss out a good majority of suspicious emails.
- Incorrect/Tricky/Mismatched URLs: Cyber criminals are very sneaking and they depend on the recipients of their phishing emails being trusting and not very detail-oriented. Many phishing emails will have links to a website that they want the recipient to click on. However, if the recipient hovers over the link in the email they will see the actual URL link that they will be directed to. If those two URL links are different it is very likely that they have a malicious or fraudulent email on their hands and it needs to be deleted immediately. Tell your employees not to click on the link!
- Misleading Domain Names: Cyber criminals love to create domain names that look close to the original domain name but are far from it. An example of this is most people know that www.Apple.com is Apple’s website and are very trusting when they see that URL. However, people who send out phishing scams are well aware of that trust so in response they will register a domain name that looks like www.apple.fakedomainname.com to take advantage of that trust. Many email recipients only see the part that says Apple and never look any further. They trust it’s Apple’s website and click on the link. That’s when the cyber criminal gets them! Always teach your employees that if they ever see something like this to refrain from clicking on the link and report it to the IT department immediately.
- Generic Greetings: Although some cyber criminals are getting a little more sophisticated on this one, many still start their phishing emails with a generic greeting like ‘Hello’ with no personalization or formality at all. Teach your employees to study the greetings in these emails. If they do not seem right for the place or person it’s coming from then err on the side of caution and delete or report the email to the IT department immediately.
- Asking For Personal Information: People who send phishing emails want one thing and one thing only…access to information that they don’t currently have and the only way to get it is to con the recipient into giving them their personal information. Teach your employees that banks and other reputable companies and agencies will NEVER ask them to send their personal information like passwords, credit card numbers, security question answers, social security number, or account information via email, text, or by entering it into a website that is referenced in the email. The best thing to do when in doubt here is to call the company or agency that the email is supposedly from and ask them if they sent the email to you. Do not use the phone number, website link, or email address in the suspicious email to verify this information. Instead find the information by looking at personal correspondence or looking it up online.
- The Offer Is Too Good To Be True: Most people are hip to this one by now but there are still some that may fall victim so this one should still be touched on. If something is too good to be true, it most likely is. It is highly unlikely that any of us have a rich uncle that just died in a foreign land that left all his money to us. Don’t respond to and don’t take any action on these type of emails. They are classic phishing emails and should be deleted or reported to the IT department immediately.
- The Recipient Didn’t Initiate The Action: Many phishing emails will state that the recipient needs to do something to complete an action that they supposedly initiated previously. The email will say the recipient has won the lotto, needs to complete a loan application, or some other action. If the recipient has any doubts about whether or not they initiated some action, more than likely they didn’t. It’s just a lonely cyber criminal hoping the email recipient will blindly click and respond. Tell your employees not to fall for it.
- The Recipient Is Asked To Send Money To Cover Expenses: Any email that request that money be sent is fraudulent. This is a classic phishing move. Ignore it.
- Makes Unrealistic Threats: The IRS or any other agency for that matter will not send anyone an email threatening them with imprisonment or fines if they don’t pay their past due balance. This is a classic intimidation technique used by phishing scammers leveraging the fear most people have for government agencies.
- Something Just Doesn’t Look Right: Teach your employees to trust their gut. If everything looks in order but they still just feel like something is off, have them alert IT for verification before responding to anything. It’s always better to be safe than sorry.
The third part of employee education is informing them of the company’s downloading protocol. If your business has extremely sensitive data that it doesn’t want anyone getting access to you may want to institute a protocol that does not allow any unauthorized employees to download anything to their computers. All it takes is one employee to download something malicious by mistake or inadvertently and your company has got a big problem on its hands. If your company does allow employees to download files and programs make sure they are educated on how to know which files are safe and which ones aren’t. Here are a few tips:
- Make sure all computers in your business have active virus scanning software. This software scans all downloads before allowing them to be downloaded. If it finds the file to have a virus it will not download it and it will warn the user that a virus was found.
- Make sure all programs and browsers are up to date. Not keeping programs and browsers up to date will leave a hole in your company’s security protocol and make finding malicious viruses harder to detect which can expose your company’s sensitive data to being stolen or corrupted.
- Make sure all users know what they can and cannot download. Be fairly strict about what your company allows employees to download. If it’s not essential for doing their job then do not allow it. It is also wise to create a policy that requires employees to get permission from the IT department before downloading anything.
Consider The Possibility Of Internal Threats
Insider threats encompass not only malicious insider actions meant to do harm to your business but they also include human error and actions taken out of curiosity or without the user realizing harm is being done. In a study done by Friedrich-Alexander University in Germany, they found that 78% of the people studied stated they were aware of the risks of unknown links in emails yet most had clicked on them anyway due to curiosity about the content. These are the types of actions that your employees take on a daily basis that can create an insider security risk.
Malicious insider actions also happen all the time and can be very hard to detect and mitigate and there are several reasons for this. Among the reasons are that malicious insider attacks can go unnoticed for years, it’s really hard to determine which actions are actually malicious and which are part of an employee’s regular work routine, employees can easily cover up their malicious activities, and once a malicious activity is detected it can be very difficult to prove guilt because an employee can easily state the action was a mistake.
So why would your employees want to take part in corporate espionage or malicious activity? There are many reasons such as acting on an opportunity that will create personal gain for themselves, taking revenge for something that was done to them that they felt was unfair or wrong, making a political or social statement, being offered a deal they can’t refuse from a competitor, or they want to go out on their own so they steal data.
So what can you do to mitigate these issues and protect your company’s sensitive data? Although it’s impossible to stop all instances of malicious activity from happening, there are several things you can do to protect your business from insider cyber crime.
- Use Background Checks: The best way to mitigate insider cyber crime is by really knowing who you are hiring. Although there are no guarantees that a background check will filter all the baddies out, it will help you to eliminate the obvious con artists and employees that appear to be a risk. Checking social media profiles as well as traditional background checks will help to give you a better picture of the person you’re thinking of hiring.
- Keep An Eye On Your Employees: It’s always a good idea to know your employees and their challenges anyway but looking for unhappy employees or those that are having difficulties in their work or personal lives can help to proactively stop an insider attack. If you have an employee that seems unhappy, trying to talk to them about the issue and seeing if there is a way to help resolve it for them could save you from losing an employee and/or precious data. Also, many times if an otherwise outstanding employee is having financial difficulties they might be easily tempted to do something they might not normally do to resolve their challenges. Be aware of what is going on with your employees, talk with them, and see if there is any way you can make things easier for them.
- Incorporate The Principle Of Least Privilege: This is something that all businesses should have in place. Employees should only have access to the data and resources that are necessary for them to do their job – nothing more, nothing less. This one principle can, in and of itself, mitigate many insider threats. Giving people access to things above their job title only leaves your company open for trouble.
- Password Policies: Make sure that all users have their own password access, that they don’t share that information with anyone else, and that they follow company password policies such as discussed above in the education section of this article.
- Monitor Activity: It might sound a little Big-Brother-ish but as a business owner it is your responsibility to know what’s going on in your company. There are software programs that detect possible malicious activity on your system and report it to the appropriate people in your company, usually the IT department. This is not only a great way to detect malicious activity but also accidental activities that could cause a security breach before it becomes a real issue.
Use Encryption To Protect Sensitive Data
Although there will always be baddies out there trying to steal data from businesses, there’s no need to make it easy for them. Making sure your company’s sensitive data is encrypted will ensure that even if cyber criminals manage to obtain the data they won’t be able to do anything with it. In order for data to be viable to cyber criminals they need to be able to actually read it. Data encryption requires that the user not only have access to the data but they also have access to the keys required to decrypt it.
So how do you do go about using encryption for your business? Here are just a few methods that your business should incorporate into its security protocol.
- Encrypt Files, Computers, and Emails: You can achieve this by using a program like BitLocker (available on most PC’s and Laptops) or Truecrypt. These programs require authentication and a encrypted key in order to view files, computers, and emails. Without the proper credentials the data is useless to thieves. Also, activating email encryption, available in most email programs, will protect incoming and outgoing email messages from prying eyes.
- Use A VPN (Virtual Private Network): This is especially important when using unknown wireless networks such as those in coffee shops, airports, convention centers, hotels, and more. These type of networks are known targets for cyber-related malicious activities and it is highly recommended that a VPN be used when accessing the internet from these types of locations. It also doesn’t hurt to use the VPN all the time regardless of where your employees are accessing the internet. Virtual Private Networks encrypt all the data that leaves your computer and travels across the internet. If a cyber-criminal does manage to intercept it, they can’t use it because they don’t have the necessary encryption keys to decrypt it.
Hire A Security Expert
If all of this seems too overwhelming, time consuming, and confusing there is always the option of hiring a security professional to make sure that all security measures possible are in place to protect your business. Security experts are required to keep up to date on all the latest security threats and are trained in all the mitigation techniques that reduce the chances of businesses having a security breach. They know the most common ways cyber-criminals attempt to access company data and know how to cut them off at the pass so to speak. The cost of hiring a security expert is small compared to the damage that will be done if your business is hit by malicious cyber-activity. Here are a few tips for hiring a security professional for your business.
- Professional Certifications: Make sure the experts you hire have the appropriate security certifications to show that they are up to date on the current security threats and protocols. Threats and technology are advancing exponentially on a daily basis and staying ahead of malicious threats requires being in the know of not only what has happened in the past but also what is happening now and what might happen in the future.
- Industry Experience: Although, for the most part, security protocol is the same regardless of what industry you are in, there are some industries such as healthcare, finance, or securities that require additional measures to stay compliant with government regulations. If you are in one of these industries make sure the professionals you hire have experience and expertise in these areas as well in order to make sure your business stays compliant at all times.
- Team Fit: Interview and talk with the security professionals you’re thinking of hiring for your business. Make sure they are a good team fit. This is the person or persons who are going to be in charge of the security of your whole business. You need to make sure they are easy to talk to, know exactly what your business requires and wants, and that they are going to be available to you whenever you need them. When security breaches or challenges come up there is no time to waste by dealing with difficult people or misunderstandings. Communication and collaboration is key when it comes to this subject so make sure those things are there before hiring this very important person onto your team.
Following the tips in this article can take your business a long way towards securing its sensitive data from breaches and cyber attackers. Make sure you institute as many of these techniques as possible and you will be helping to insure that your business and its important information does not get into the wrong hands.
To learn more about how to maximize the security of your organization’s sensitive data, contact us.