By Shane Cummings
In our digital world, business is increasingly conducted via email and electronic messaging thanks to its speed and simplicity. This article sheds light on what cyber crooks are looking for, how they attempt to get it—and three practices you can implement to better protect your business.
1) Implement a company-wide best-practices policy for all emails
Everyone who conducts business via email on your company’s system should exercise extreme care when sending and receiving emails.
To ensure your employees know the best policies, why not implement a training program to help them identify and report spam and phishing emails? Services such as PhishMe and KnowBe4 offer targeted training for firms. Even with extremely effective technology controls in place, your employees are ultimately the last line of defense.
Two key rules of thumb for all users of your system:
Never send confidential, sensitive, or personal information through regular email—and quickly delete all sensitive and suspicious emails from your inbox. You might be surprised at how easily hackers can reach into your company’s mailboxes and read emails. If you receive something sensitive via email, get what you need out of your inbox and delete the entire message—then delete that from your deleted folder. If you’ve ever sent an account number or social security number, it may still be there. Crooks know to look in there too.
Depending upon the type of email server your business uses, you may be able to set firm-wide retention policies for user inboxes to automatically delete emails after a specified period of time, such as 180 days.
Always be suspicious of spam. It’s still one of the most effective ways crooks take advantage of people. Don’t just click on links or open attachments because someone you know sent them.
Phishing is the activity of retrieving information by posing as a legitimate person or company. Spoofing is considered more of a method of delivery of malicious software, otherwise known as malware. Both occur when the sender of an email isn’t who they appear to be. This can be done in a few different ways. In one, an acquaintance’s contact list could have been stolen. Using this, the hacker can send emails that appear to be from that person you know. How similar do the emails jennylin@email.com and jennylln@email.com appear? One is spelled “LIN” and the other “LLN”—and in lowercase they’re nearly indistinguishable.
Here’s another example. You may receive an email from what appears to be your bank. The hacker may have stolen the logo and otherwise replicated what a real email from that bank looks like. The email will ask you to follow some instructions to verify your information and provide a link for you to click on—or it may ask you to type in your username and password to “authenticate” your account. Once you do, now they have it, too.
To sum up, vigilance is the byword.
2) Solidify your software defenses
Spyware is software that acts like a mole, gathering information from an unsuspecting user’s computer and transmitting that back to another entity.
The most effective method to protect your business from spyware is to block the ability of your employees to install software on your company’s computers. This simple change can go a long way in tightening your firm’s defenses. Most employees are not experts on what software tools are legitimate or could compromise your business’s security. That’s why the best approach is to rely on a dedicated administrator or team to manage your software inventory.
Better yet, a centralized software inventory system will help your network administrator run routine scans for any malicious software that may find a way through your defenses. It’s also important to make sure you are using a modern Internet browser. Google’s Chrome, Mozilla’s Firefox, and the latest iteration of Microsoft’s Internet Explorer (11) and Edge (for Windows 10 machines) have elements that can make your company’s online experience more secure.
Your business should have antivirus solutions for all work computers, along with the ability to centrally monitor all machines in your network. For smaller companies on a budget, there are still plenty of other antivirus solutions available. Avast, Lavasoft’s Ad-Aware, AVG, and even Microsoft’s built-in Windows Defender (if you’re using PCs) are all good—and free—options.
3) Have a cybersecurity incident response plan in place
Every business should have a cybersecurity incident response plan in place. The point is to have a blueprint for how to respond quickly in the event of a breach or attack. The National Institute of Standards and Technology (NIST) is a great resource for building a custom plan for your business. This includes establishing an incident response team and documenting team membership, as well as documenting all the steps your business needs to take if a breach is detected.
Implicit in your response plan is the requirement that your business has the capabilities to detect both attacks and breaches. Once you’re alerted to a hack, these elements should be part of your plan’s protocols:
- Respond quickly. Immediately contact both internal administrators and any third-party organizations to block access to compromised systems. This may include working with your firm’s email provider or cloud data storage hosting company to temporarily block access to resources or permanently shut down common attack vectors. Contact information should be listed in your plan.
- Limit the damage. If the attack involves ransomware or malware on your corporate network, an immediate response from your administrator or third-party consultants will be critical in attempting to remove malicious programs from the network and isolating any electronic resources that have not yet been compromised. The highest priority should be to limit the damage already done by the attack and prevent further harm. In the event of a ransomware attack, the most effective solution is to ignore ransom requests and to restore files from a recent backup.
- Communicate to everyone who’s been impacted. The incident response team should notify employees of the breach, as well as any clients who may have been impacted by the event. Depending on the circumstances, law enforcement may also need to be contacted.
- Debrief and adjust. Be sure to use the lessons learned from the process to review the effectiveness of the incident response plan and adjust as needed.
Due to the increasingly complex nature and frequency of cyber incidents, your business would be well served to designate professionals to craft an incident response plan unique to your firm. If an incident does occur, a thoughtfully crafted plan can dramatically improve response times and ensure actions are prioritized effectively and communicated well. Even if your business does not have a prominent presence on the web, it can still be vulnerable to cyber crime.
Your best defense: Education, preparation, and vigilance
We all know how sophisticated and single-minded hackers can be. Your best strategy to protect your business and your customers from data breaches and fraud is a well-educated workforce, constant vigilance—and continuously keeping pace with state-of-the-art security defens
