Cybercrime is here to stay.
ProviDyn has conducted cybersecurity awareness training programs for MSP clients and other business audiences since 2016.
The purpose of this blog (culled from our various presentations over the years) is to provide a straightforward explanation and general guidelines for nontechnical readers.
We consider it a win even if you only adopt one new behavior. Although four or five would be ideal. It's scary out there.
1 - It's Not A Technology Problem. It's A People Problem
When it comes to security, your organization is very similar to a house. For protection, you have doors, locks, windows, and fences. To detect threats, you have alarms, motion detectors, monitoring, and crime watch.
To respond to threats, you might have a dog, a gun, the help of local police, and the option of filing an insurance claim. But intruders can still gain access.
Businesses are in the same boat and, in many cases, may have all kinds of next-generation technology to protect, detect, and respond to threats, and sure enough, intruders still gain access.
Why? 95% of breaches are related to human error. That's why it's imperative to focus on early detection and response to lower liability because there is no way to keep everyone out.
2 - Nobody's "IT Guy" Has Everything Covered
While most organizations don't have a solitary, in-house IT resource managing both IT applications and IT infrastructure (because it's impossible to find the specialization and coverage capabilities in one person), many companies still work with a third-party "IT guy."
Even if this individual focuses on IT infrastructure, there are still significant skill and availability gaps. The operative term is "single point of failure." This scenario was much less of a problem 20 years ago.
However, IT systems have become much more decentralized and complex. They now require oversight by specialists in diverse disciplines such as public cloud, security, and mobility.
Do any of your vendors still work with an IT guy? Remember, you're only as safe as your weakest link.
Just ask Target. Their payment systems got hacked because one of their HVAC vendor's IT systems got hacked.
3 - Cybercrime Has Very Low Barriers To Entry
Cybercrime is increasingly accessible to everyone. There are online job postings, anonymous payment systems, and marketplaces where personal data is purchased and sold 24/7.
You can even buy $40.00 software programs to hack into systems. Many come with ratings similar to Amazon Reviews, and some allow you to choose options like gold, silver, and platinum depending on the kind of support you want.
Cybercrime is mainstream!
4 - Cybercrime Employs Social Engineering Tactics
Phishing is the most common form of social engineering. It often appears in emails, chat tools, and web ads. Designed to look like it's coming from a real company, it delivers a sense of urgency or demands immediate action.
A hacker could disguise themselves as a company emailing an end-user an invoice. When the recipient clicks on the PDF attachment, it releases a virus into the system.
Or you could be reading an article on the New York Times website and unwittingly click on a Bing ad that redirects you to a website equipped with an exploit kit that downloads a virus, malware, or ransomware to your computer.
5 - You Do Not Have To Go At This Alone
There are several reasons your company is working with an MSP or should consider doing so. Security is undoubtedly one of them.
If you get any suspicious or random emails from FedEx, AT&T, Amazon, Microsoft Office, DocuSign, Dropbox, and LinkedIn (to name a few), practice the five-second rule. And take a breather before responding or clicking.
I would always call the sender to confirm any digital signing requests. And please forward any suspicious emails to "support@yourMSP.com." They should be able to help.
6 - Social Engineering Takes Many Forms
Baiting offers the reader something in exchange for private information. This could take the form of a free music download or a glimpse at once svelte movie stars who now look like train wrecks in their bathing suits.
Quizzes on Facebook may seem perfectly innocent but, in some instances, you may be submitting answers that are the same as those employed for security questions with your online banking and mortgage accounts.
Have you seen any offers for free credit reports lately? Proceed with caution. Better yet, don't proceed at all. Several scams promote free credit reports that include credit charges with account numbers you don't recognize.
Then when you call to dispute the charge, you're lured into correcting the mistake by submitting your legitimate credit card account number, your security code, or even your social security number.
Phone numbers can be spoofed, which catches many people off guard because most of us are accustomed to trusting numbers from known entities as the gold standard of verification.
Ditto on text messages. Do you ever sign up for newsletters, gated content offers on Facebook, and participate in social media petitions? If so, you could be agreeing to service terms that allow them to sell your number, or you may be giving your number directly to a fraudulent entity.
Social engineering is not always technology-centric. Tailgating happens when an unauthorized person follows an employee into a restricted area at their company.
Fraudsters commonly ask unsuspecting employees to hold doors for them, claiming they forgot their badge, or they may intentionally have their hands full and expect human empathy to take them over the finish line.
7 - Avoid Unauthorized Software & Devices
Don't install unauthorized programs on your work computer or use personal devices such as laptops, USBs, MP3 players, and smartphones without your manager's permission.
Even brand-new devices and USB flash drives get infected with malware. Devices arrive compromised with code waiting to launch as soon as you plug them in. It's also a good idea to turn off/disable Bluetooth and wireless services when not in use.
Don't give hackers any windows to visit any of your networks, no matter how insignificant they may seem.
If you have an unprotected home network (non-password/user ID authenticated) and you happen to have banking statements on your laptop, threat actors in your parking lot can find the information if they happen to be looking for it.
People like this do the same thing in parking lots at commercial establishments with WiFi. Don't let your guard down at Starbucks. Their free Internet access is wide open.
8 - Simplify Your Digital Life
Unsubscribe from email lists - ones that crowd your work email inbox as well as your Yahoo or Gmail account. Less clutter means fewer opportunities to step on the proverbial grenade.
This also allows you to focus on what's actionable. Get anything of value off your desktop and into a file-sharing schema that is secure and backed up.
Post with caution. You don't want Facebook to serve as a geo-tracking device to notify criminals that the coast is clear every time you upload a shot of your foot and a drink from a recliner in St. Croix.
It would help if you exercised similar caution with LinkedIn. Be careful about posting financial details, gripes about company policy, or detailed technical information about your computer network.
Certain phone systems have user manuals online that explain how to reset passwords which means a nefarious third party could take down your entire voice system or rack up toll charges in the thousands of dollars.
9 - Get A Password Manager
Passwords are a twentieth-century solution to a twenty-first-century problem. Unfortunately, usernames and passwords – the most common digital credentials used today – are all that stand between employees and vital online services, including corporate networks, social media sites, e-commerce, and many others.
Sharing corporate email addresses and passwords with your Yahoo, LinkedIn, and Facebook accounts is a bad idea. Therefore, one of the best security practices you can implement is to use a completely different password for every service you use.
Sixty percent of Americans follow this process, but an astounding 40% do not. A simple password manager can make the transition a breeze. Popular options include 1Password, Dashlane, Keeper, LastPass, Password Boss, and Sticky Password.
The benefits are as follows:
- You only have to remember one master password
- The password manager will store all of your sites
- It will also encrypt each password, allow you to activate 2FA, set reminders to create new passwords, and even help you generate new ones
- Finally, the solution helps you stay organized because all your essential sites get housed within the password manager portal
10 - Consider Identity Theft Protection
It's not a matter of if; it's a matter of when. Pardon the cynicism, but we all have a one-in-four chance of getting hit. Long before the Internet took off, many paper records included personal identifying information ("PII"), which is now at large.
Georgia Driver's licenses used to include your Social Security number. It would be safe to assume somebody with bad intentions either has your PII or will be able to locate it because paper records are digitized and put up for sale on the Dark Web all the time.
If your identity is stolen, it will take you a minimum of eighty hours to remediate with all the government agencies, credit bureaus, banks, credit card companies, and other organizations with whom you do business.
Can you imagine how disruptive that would be to your professional life?
For pennies, a day, a good Identity Theft Protection and Recovery Company can protect you and manage the recovery process if you happen to get compromised. At the very least, keep your credit frozen and only unfreeze it when necessary.
11 - Two-Factor Authentication (2FA)
2FA adds an extra layer of security by requiring the user to submit a password, a username, and something unique to that individual.
Employing a username and password together with information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity.
Duo Mobile, Okta, OneLogin, and SecureAuth offer enterprise-grade 2FA solutions that are easy to implement. 2FA can also be implemented at no cost directly with Facebook, LinkedIn, Yahoo, and Well Fargo, and many others.
Once you log in with a user ID and password, a dialogue box prompts you to request a code that is sent to your smartphone as a text message. A few seconds later, you can enter the six-to-eight-digit code to gain access.
12 - Don't Operate In The Shadows
Eighty-percent (80%) of workers admit to using unapproved cloud applications. These unknown apps (Shadow IT) trigger 33% of cyber breach incidents.
Why is this happening?
- IT is heavily "consumerized," making it easier than ever to do whatever you want on your device
- Users are constantly downloading free, unauthorized apps
- They're storing and transmitting sensitive data between personal devices, webmail, DropBox accounts, and the organization's email system
- Everyone gets automatically logged into free WiFi hotspots
- Unregulated website browsing is out of control
- Just about everyone is using corporate laptops at home for personal matters
Once a compromised device gets plugged into the network, your entire organization is exposed.
13 - Make Sure You Are Really Unsubscribing
Clicking "Unsubscribe" in a fraudulent email does not mean your email address will be removed from the scammer's hit list, especially if it takes you to a website that prompts you to re-enter your email address.
It will, however, do one or thing – verify the address for the scammer or lead you to a malicious website that will download malware onto your computer and trick you into falling for some scam.
Reputable marketers don't do this. Companies like Amazon, Apple, J. Crew, Bonobos, Brooks Brothers, et al. already have your email address and respect your wishes to be removed.
The best approach to handle the questionable spam barrage is to mark the suspicious or unwanted email as "SPAM" or "Junk" then delete it. Please resist the urge to open it.
The need for cybersecurity awareness has never been stronger. Training should be ongoing and nuanced since the threats seem to be evolving faster than the most cutting-edge security tools.
The ProviDyn team has decades of experience and we look forward to helping you implement better cybersecurity today.
If you enjoyed this article, you may also like some of the related content in our free eBook.