This headline might sound crazy and sensational. It has not been reported in local media, but it is really an accurate statement. In just my corner of the world, I know personally of multiple companies that have lost hundreds of thousands of dollars as result of email scams, online bank fraud, and a variety of other means, and there are thousands more out there just in our geographic area.
Why don’t we hear about these crimes locally more often? The Target’s of the world get the headlines, because they have to report breaches, and they affect large groups of people. Smaller companies lose smaller amounts that often are unrelated to their customer information. Smaller organizations often keep things quiet. Who wants to tell others that they were duped into sending a wire transfer to a hacking syndicate, or tell their employees that their bank account was compromised?
The Internet has bred a whole new world of crime families and hacker networks. All of them are vying for our bank account, our social security numbers, our credit cards, and any personal information they can use to make money. Estimates show Cyber Crime is a 3 trillion dollar business, the largest organized crime in the world. Cyber Crime is no longer perpetrated by some geeky kid trying to show off his skills. They are complex organizations who hire people, provide technical support to hackers, have published pricing for breached systems, and operate with a great degree of sophistication and large amounts of money.
How do we keep our businesses secure?
There are four key components to securing our businesses. Physical Security like firewalls, antivirus, and encryption are necessary to lock the doors and keep us safe. Even with the doors locked, we also need what I call Active Security. This involves things like secure enforced password policy, regular updates to firewalls, regular updates to operating systems and other critical systems, as well as automated monitoring, review of logs, and regular testing and review. In addition, to be secure, we need Responsive Security, which deals with a threat quickly and effectively when it does occur. This is having the right people standing by to wipe out any potential breach. Finally, we need Security Education. Most security breaches occur because someone in our organization unknowingly opened a door that should have stayed closed. It could have been clicking on an email, sending a bank transfer number, wiring funds, downloading an unsecure program, or a variety of other things.
The first three components are addressed by an effective IT department, or by an outsourced IT firm like CTaccess who has a disciplined plan and process for insuring that these items are addressed. Security Education is often left in the hands of the employee as if they should just know or be aware. Don’t leave it up to chance. Create a simple training program that addresses these top 10 security issues:
1) Don’t be tempted by SPAM. Even if the offer looks interesting, delete it. That attractive offer could be dangerous in more than one way.
2) Don’t unsubscribe without extreme care. Only unsubscribe to things that you’re sure you signed up for. The other stuff is unsolicited SPAM and many times they simply send you more SPAM after you unsubscribe or direct you to an equally dangerous website. Block a repeated SPAM message with your SPAM software, rather than attempting to unsubscribe.
3) Be savvy with attachments. Even if that email looks legitimate, double-check. Is it really a resume? Is it really a fax? Do I even have a voicemail or fax system that sends me stuff by email? Legitimate companies no longer send any kind of update via email attachment.
4) Don’t follow that link. If the email looks legitimate and you know how to get to the site through your browser without clicking the link, go there the manual way. If you are not certain about the link, double-check with someone before clicking.
5) Always look for the lock. When making a purchase, you want an encrypted connection. Look for the lock that shows up in your URL bar to insure the site you are using is secure.
6) Stick with reputable sites. Avoid obscure sites with strange URLs and avoid sites on sketchy topics and offbeat things. (Filtering/Blocking of these sites is recommended at the company level)
7) Popups are dangerous. If you get a strange unavoidable pop-up, ask an IT professional to scan your system to make sure you are clean. If it locks or won’t close, a quick shutdown of your computer might be advisable.
8) Use secure password best practices. Use at least 8 characters. Don’t use obvious terms. Use a mixture of uppercase, lowercase, numbers, and symbols. Change your passwords even on sites that don’t require it.
9) Make sure you are up-to-date. Your company should automate this. You don’t want to use old browsers, old versions of Adobe, non-patched operating systems or old plug-ins. They all leave you open to a breach.
10) Be Social Media Secure. Social media is a target for certain types of hackers. Use a secure password. Always remember that what you post or discuss may be open to more people than you imagine. Be careful about posting days of vacation, addresses, numbers, and anything that might leave an avenue to exploit you.
It’s Cyber Security month! Crazy that we now have a month dedicated to this! Stay safe, and be secure in the Wild West of an interconnected world.