The WIDESPREAD use of new technology in the workplace has led to an increase in a new class of “cyber threats”. Understanding these threats can help prevent losses.
"GrowthForce recommends and implements these best practices as a part of our overall cybersecurity framework and recommend you do too."
Know Your Network
The nature of the internal network is evolving to include mobile devices, cloud-based services and remote access. Because of this, it is more important than ever to stay on top of network security to ensure it is locked down from prying eyes. Most modern network equipment, such as switches and routers include built-in security functions, most often in the form of a firewall.
Ensuring the firewall is enabled and security rules are enforced will help keep unauthorized access attempts at bay. Additionally, it is highly recommended to implement intrusion detection and other monitoring tools to send alerts if any unusual activity occurs. Some services, such as Surricata, SNORT, and OSSEC* are free or inexpensive and a great starting point.
Whether you have an in-house IT team or outsource for technology services, it is important to ensure your network is being secured and maintained by knowledgeable and experienced individuals.
Despite all the effort put into building internal systems to protect against cyber threats, one of the most important aspects of a cybersecurity framework is often not reinforced; educating employees on what to watch out for and what to do if they suspect suspicious activity.
Training sessions should be held regularly and contain informative and actionable content. A session on email security might include descriptions of the various types of threats, what signs to look for in a message that might indicate phishing and what actions to take to mitigate risk.
Protect Your Email
Have you ever received an email that appears to be from a familiar partner or colleague asking to visit a website and “sign-in” or transfer large sums of money only to find it was all a scam? These types of attacks are called phishing and, according to Microsoft, cost mid-size businesses upwards of $3.8 million annually.
Remember: Fraudsters Go Phishing
Phishing refers to malicious emails that are designed to trick the recipient into clicking on an infected attachment or providing personally identifiable information, such as your name, social security number and password.
Spear phishing is a more targeted attack, used by cybercriminals who want information about a specific company or individual – often appearing to come from a colleague or friend, requesting money or other information. Since e-mail has become the primary form of communication in enterprise environments, phishing and spear-phishing have become more pervasive.
Recent research shows that spear phishing is the initial avenue of attack in almost 70 percent of data breaches. In other words, human error is to blame for almost three quarters of all breaches!
Reports show that the number of spear-phishing attacks have increased by more than 50% year-over-year since 2016.
Clone Phishing is a phishing technique in which a legitimate email with a link or attachment is duplicated to create an almost identical message. However, the criminals use a malicious attachment or link instead of the original one, and send the email from an address that’s almost, but not quite, the same as the originating address.
Whale Phishing or Whaling is a form of spear phishing that targets high-level managers and CEOs. Whaling emails are often disguised as communications from authorities or legal entities in order to scare recipients into taking action.
Businesses should implement secure email processes and services to help detect and prevent phishing scams.
Services such as Mimecast®, Proofpoint®, and Sophos* maintain vast databases of known threats, keywords, and other triggers to classify messages that may be malicious in nature and prevent them from being delivered.
These services are extremely robust and often provide further protection including email encryption and continuity services.
If you think you’ve received an email that contains malware - Do the four-point verification:
- Check the company name to see if it’s really from a company you’re affiliated with.
- Check the “from” field in the email to see if you recognize the sender’s address. If you’re not sure whether it’s valid, send a new email—not a reply—to the contact to ask if he or she emailed you.
- Put your mouse over the hyperlink in the body of the email to reveal the actual URL—but don’t click on the link!
- If the URL doesn’t look valid, examine the signature at the bottom of the email for any red flags, for example, a company website URL that doesn’t work. You can do these checks in a minute or so, and if the email is fake, you’ll see multiple areas that don’t add up.
PROTECT YOUR PERSONAL INFORMATION
“Phishing” is the fraudulent practice of sending emails or texts claiming to be reputable companies that encourage individuals to reveal personal or confidential information which the scammer can use illicitly. Such information requested can include your login credentials, PIN, debit and credit card numbers, mother’s maiden name, and social security number, etc.
Legitimate business should never ask customers for password or account information via email, text message, or telephone.
If you believe your account information has been stolen or compromised, change your password and notify the online business immediately.
*GrowthForce is not affiliated with Mimecast®, Proofpoint®, Sophos, Surricata, SNORT, or OSSEC and only references such software as a potential resource for you to research independently. GrowthForce makes no representation or warranties about such referenced products.