#1 It’s Not A Technology Problem. It’s A People Problem
When it comes to security, your organization is very similar to a house. For protection, you have doors, locks, windows and fences. To detect threats, you have alarms, motion detectors, monitoring and crime watch. To respond to threats, you might have a dog, a gun, the help of local police and the option of filing an insurance claim. But intruders can still gain access. Businesses are in the same boat and in many cases may have all kinds of next generation technology to protect, detect and response to threats and sure enough, intruders still gain access. Why? 95% of breaches are related to human error. This makes it imperative to focus on early detection and response to lower liability because there is no way to keep everyone out.
#2 Nobody’s “IT Guy” Has Everything Covered
While most organizations don’t have a solitary, in-house IT resource managing both IT applications and IT infrastructure, (because it’s impossible to find the specialization and bandwidth in one person), many companies still work with a third-party “IT guy.” Even if this individual is only focused on IT infrastructure, there are still significant skill and bandwidth gaps. The operative term is “single point of failure.” This was much less of a problem 20 years ago. However, IT systems have become much more decentralized and complex and now require oversight by specialists in diverse disciplines such as public cloud, security and mobility. Do any of your vendors still work with an IT guy? Remember, you are only as safe as your weakest link. Just ask Target. Their payment systems were hacked because one of their HVAC vendor’s IT systems were hacked.
#3 Cybercrime Has Very Low Barriers To Entry
Cybercrime is increasingly accessible to everyone. There are online job postings, anonymous payment systems and marketplaces where personal data is bought and sold 24/7. You can even buy $40 software programs to hack into systems. Many come with ratings similar to Amazon Reviews and some allow you to choose options like gold, silver and platinum depending on the kind of support you want.
How scary is that?
#4 Cybercrime Is Deployed Via Social Engineering Tactics
Phishing is the most common form of social engineering. It often appears in emails, chat tools and web ads. It’s designed to look like it’s coming from a real company and delivers a sense of urgency or demands immediate action. A hacker could disguise themselves as a company emailing an end user an invoice. When they click the attachment, it will release a virus into the system. Or you could be reading on article on the New York Times website and unwittingly click on a Bing ad that redirects you to website equipped with an exploit kit that downloads a virus, malware or ransomware to your computer.
#5 You Do Not Have To Go At This Alone
There are several reasons your company is working with ProviDyn. Security is certainly one of them. If you get any suspicious or random emails from FedEx, AT&T, Amazon, Microsoft Office, DocuSign, DropBox and LinkedIn (just to name a few), practice the 5 second rule and take a breather before responding or clicking. I would always call the sender to confirm any digital signing requests. And please forward any questionable emails to firstname.lastname@example.org. We’re here to help.
#6 Social Engineering Takes Many Forms
Baiting offers the reader something in exchange for private information. This could take the form of a free music download or a glimpse at once svelte movie stars who now look like train wrecks in their bathing suits. Quizzes on Facebook may seem perfectly innocent but, in some instances, you may be submitting answers that are the same as those employed for security questions with your on-line banking and mortgage accounts. Seen any offers for free credit reports lately? Proceed with caution. Better yet, don’t proceed at all. There are a number of scams offering free credit reports that include credit charges with account numbers you don’t recognize. Then when you call to dispute the charge, you may be lured into correcting the mistake by submitting your legitimate account number, your security code or even your social security number. Phone numbers can be spoofed which catches a lot of people off guard because most of us are used to trusting numbers from known entities as the gold standard of verification. Ditto on text messages. If you sign up for newsletters, gated content offers on Facebook, and participate in social media petitions, you could be agreeing to service terms that allow them to sell your number or you may be giving your number directly to a fraudulent entity. Social engineering is not always technology-centric. Tailgating happens when an unauthorized person follows an employee into a restricted area at their company. Fraudsters commonly ask unsuspecting employees to hold doors for them, claiming they forgot their badge or they may intentionally have their hands full and expect human empathy to take them over the finish line.
#7 Avoid Unauthorized Software & Devices
Don’t install unauthorized programs on your work computer or plug in personal devices such as laptops, USBs, MP3 players and smartphones without permission from your manager. Even a brand-new device or USB flash drive could be infected with malware. Devices can be compromised with code waiting to launch as soon as you plug them in. It’s also a good idea to turn off/disable Bluetooth and wireless services when not in use. Don’t give hackers any windows to visit any of your networks, no matter how insignificant they may seem. If you have an unprotected home network (non-password/user ID authenticated) and you happen to have banking statements on your laptop, threat actors in your parking lot can find the information if they happen to be looking for it. People like this do the same thing in parking lots at commercial establishments with Wifi.
#8 Simplify Your Digital Life
Unsubscribe from email lists - ones that crowd your work email inbox as well as your Yahoo or Gmail account. Less clutter means fewer opportunities to step on the proverbial grenade. This also allows you to focus on what’s actionable. Get anything of value off your desktop and into a file sharing schema that is secure and backed up. Post with caution. You don’t want Facebook to serve as a geo-tracking device to notify criminals that the coast is clear every time you upload a shot of your foot and a drink from a recliner in St. Croix. You should exercise similar caution with LinkedIn. Be careful about posting financial details, gripes about company policy or detailed technical information about your computer network. Certain phone systems have user manuals online that explain how to reset passwords which means a nefarious third-party could take down your entire voice system or rack up tolls charges in the thousands of dollars.
#9 Get A Password Manager
Passwords are a twentieth-century solution to a twenty-first century problem. Unfortunately, user names and passwords – the most common digital credentials used today – are all that stands between employees and vital online services including corporate networks, social media sites, e-commerce and many others. Sharing corporate email addresses and passwords with your Yahoo, LinkedIn and Facebook accounts is a bad idea. Therefore, one of the best security practices you can implement is to use a completely different password for every service you use. Sixty-percent of Americans follow this process but an astounding 40% do not. A simple password manager can make the transition a breeze. Popular options include Blur, Sticky Password, Keeper, Password Boss, LastPass and Dashlane. You only have to remember one master password and the password manager will store all of your sites, encrypt their passwords, allow you to activate 2-factor authentication, set reminders to create new passwords, and even help you generate new ones. It also helps you stay organized because all your most important sites are conveniently housed within the password manager portal.
#10 Consider Identity Theft Protection
It’s not a matter of if, it’s a matter of when. Pardon the cynicism but we all have a 1 in 4 chance of getting hit. Long before the Internet took off, a lot of paper records included personal identifying information (“PII”) which is now at large. Georgia Driver’s licenses used to include your Social Security number. It would be safe to assume somebody with bad intentions either has your PII or will be able to locate it because paper records are digitized and put up for sale on the Dark Web all the time. If your identity is stolen it will take you a minimum of 80 hours to remediate with all the government agencies, credit bureaus, banks, credit card companies and other organizations you do business with. Can you imagine how disruptive that would be to your professional life? For pennies a day, a good Identity Theft Protection and Recovery Company can protect you and manage the recovery process if you happen to get hit. In the very least, keep your credit frozen and only unfreeze it when necessary.
#11 Two-Factor Authentication
Two Factor Authentication, also known as 2FA, is an extra layer of security that is known as "multi-factor authentication." This requires not only a password and username but also something else that is unique to that user. Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity. 2FA can be implemented with enterprise grade solutions such as Duo Mobile, Okta, OneLogin and SecureAuth. It can also be implemented at no cost directly with online services such as Facebook, LinkedIn, Yahoo and Well Fargo, just to name a few. Once you log in with a user ID and password, a dialogue box prompts you to request a code which they send to your smartphone as a text message. A few seconds later you can enter the 6 to 8 digit code to gain access.
#12 Don’t Operate In The Shadows
Eighty percent (80%) of workers admit to using cloud applications that have not been approved by their company or IT provider. Thirty-Three (33%) of cyber breach incidents are triggered through shadow IT. Why? IT has been heavily “consumerized” making it easier than ever to do whatever you want on your own device. Users are constantly downloading free, unauthorized apps. They’re storing and transmitting sensitive data between personal devices, webmail and the organization’s email system. Employees are putting corporate data in personal, consumer-grade DropBox accounts. We’re all being automatically logged into free Wifi hotspots. Unregulated website browsing is out of control. And just about everyone is using corporate laptops at home for personal matters. Once a compromised machine or device is plugged into the network, your organization is exposed to a host of preventable problems.
#13 Make Sure You Are Really Unsubscribing
Clicking “Unsubscribe” in a fraudulent email does not mean your email address will be removed from the scammer’s hit list. Especially if it takes you to a website that prompts you to re-enter your email address. It will, however, do one or things – verify the address for the scammer or lead you to a malicious website that will download malware onto your computer and/or trick you into falling for some sort of scam. Reputable marketers don’t do this. Companies like Amazon, Apple, J. Crew, Bonobos, and Brooks Brothers, et al already have your email address and respect your wishes to be removed. The best approach is to handle the questionable spam barrage is to simply mark the suspicious or unwanted email as “SPAM” or “Junk” and then simply delete it. Resist the urge to open it.