It doesn’t matter what size your business is or how much money you’ve invested in Cyber Security; the harsh truth of the world we live in is that at some point you’ll be targeted by Cyber Scammers.
However, that doesn’t mean you should just shut up shop and stop thinking about cyber security though or even that the hackers will be successful; it’s just one of the factors to consider when doing business in a modern, digital world.
Fortunately, there are quite a few things either yourself, your IT Team and/or all your other employees can do to make a scammers job much harder.
By their very nature they they’re not nice people (and we’re aware how much we’re understating that) so it’s likely if you make things too difficult for them they’ll just go and seek out an easier target (perhaps someone who hasn’t read this article?)
Here then, is cloudThings checklist for improving your business or organisations cyber security…
Back it up, back it up, then back it up again!
Starting with a worst-case scenario, should the worst happen (where possible) it’s important that you’re not negatively affected.
To help alleviate the risks of a successful cyber attack it’s vital that you’re making regular backups of all your key systems and data.
Additional storage doesn’t have to cost a lot these days so making sure you’ve copies in a secure offsite location or, (even better) on the Cloud means should the worst occur you can be back up and running straight away without having to deal with any kind of ransomware scam.
We all know how annoying those ‘Update Needed’ pop ups are in the corner of your screen when you log in but new security patches for your OS (operating system), web browser and all your other software or hardware really are important.
Cyber Criminals are on a continuous look out to exploit any weaknesses they find in systems and these updates are deliberate attempts to stop them when such a weakness is identified by the manufacturer.
Ignoring them is an open invitation to a hacker.
Have you covered the basics?
It should go without saying but make sure your entire system, network and all individual devices have trustworthy anti-virus and anti-malware software installed and then make sure that it’s regularly updated to keep the devices safe.
Is your password on the naughty list?
If you take nothing else from this article then take this… please use a strong password and then make sure it’s changed regularly!
In this day and age it’s still amazing how many people use simple passwords from the ‘naughty list’ for convenience sake thinking it’ll never happen to them.
If you’re a system administrator then it’s good practice to ensure all employee passwords must include both capital and lower-case letters, non-sequential numbers and a symbol.
The more complicated it is, the harder it will be to crack with a brute force attack.
It may also be worth putting automatic rules in place to prohibit the partial use of the most popular password choices…
MOST POPULAR PASSWORD CHOICES:
- Their name or surname
- Their birthday
Never forget, a badly chosen password doesn’t just have the power to compromise one laptop but possibly your entire organisations data as well as potentially your clients, suppliers and partners!
Want a tip from the experts?
The ideal situation would be to have a separate, randomised, password for every device and application an employee has access to. That’s obviously impractical but by using a password manager like LastPass or 1Password it’s possible to have secure passwords whilst only having to remember and update one.
And as a final tip, if your employees are in charge of setting their own passwords and do look after sensitive data tell them to stay away from using middle names, pet names or their child’s names or birthdays.
It’s scary what a determined scammer can learn about someone after a quick search of their social media… but it happens far more often than you’d think.
Passwords for real life
Passwords need protecting in real life too!
Do your employees ever work away from the office?
Have you ever been tempted to log in and check your emails whilst stood in line at Costa?
Even in the workplace have you ever had to let a disgruntled employee go?
It’s important that your employees protect their passwords not just in the digital world but in the real world too.
It’s far too easy to look over someone’s shoulder as they type out a password (especially if it’s something simple like ABCD1234). Make they know to take a look around before typing in their password and that they’re aware of who might be watching. It also goes without saying that they should never share it with anyone.
Preventing phishing scams
Always have one eye out for Phishing Scams.
Phishing scams are the fraudulent attempt to obtain sensitive information such as usernames, passwords or credit card information by scammers disguising themselves as a trusted person via email or other digital communication and they’re getting more and more sophisticated every year.
It’s important your IT team or other knowledgeable individual within your organisation teach your staff what to look out for in ‘dodgy’ emails.
Unfortunately, they won’t come from Nigerian Princes these days!
THE EMAIL DISPLAY NAME
A common tactic is to ‘spoof’ a senior member of the organisation in the ‘from’ box.
Just because their name displays doesn’t mean it’s from then.
A good step to take in preventing this is to empower your staff to speak to the sender to double check if the email was from them, especially if it’s requesting information (especially payment details) or requesting a link be clicked.
DON’T CLICK A SUSPICIOUS LINK. JUST… DON’T!
It’s not fool proof but a quick check is to hover your mouse over the link (without clicking it!) This will display the address of where the link will send you. If it looks spammy then it probably is.
Another common tactic of these spammy links is to direct you to a fraudulent homepage of a trusted site (maybe a fake PayPal?) asking you to login again.
If this does happen and you’re unsure either check with your IT Team or go direct to the actual website itself rather than trusting the link in the email. It’ll take an extra 15 seconds but will prevent you giving your details out to a phishing scammer.
LOOK OUT FOR SPELLING, GRAMMAR AND SYNTAX ERRORS
It’s not a hard and fast rule so be careful but a lot of scammers won’t have English as a first language.
If the email is badly worded or spelt there’s a chance it’s not to be trusted.
To save time a lot of scammers send out multiple emails at once.
If your boss normally addresses you by your first name but you suddenly get an email from them that starts dear Valued Employee or Important Client then be instantly suspicious of it, especially if it’s asking you for something.
URGENT RESPONSE REQUIRED
We’ve all had that email from the boss that needs actioning immediately but this is also a scare tactic used by cyber scammers to knock you off kilter and be easier to manipulate.
Whilst it may be genuine and need urgent attention, picking up the phone or walking to their office to double check isn’t going to hurt and may save the company a lot of money… particularly if the email want’s you to do something you wouldn’t normally, like pay an invoice or log in to an account etc.
SOMETHING’S NOT QUITE RIGHT
Sometimes you’ll just look at an email and it won’t feel quite… right.
Maybe the logo is pixelated or the images or layout just feel ‘off’. If something does feel wrong about it trust your instinct and run it by your IT Team before you do anything with it.
SUSPICIOUS DOMAIN NAMES AND URL’S:
Many email scammers will try to spoof existing domain names to make their scams seem more credible. Instead of Amazon.com you might get an email request asking you to log into Amaz0n.com.
It’s easy to miss if you’re not being vigilant and if you’ve already clicked the link the landing page you go to may seem legitimate but it’s important you keep an eye out for these as it’s a common technique.
As email scams become more sophisticated the scammers are relying less on you clicking a link and more on you clicking an attachment infected with some kind of malware. If you’re sent an email from a source you don’t recognise or even one you do but the attachment looks strange (like a .doc for a word file for instance) it may be suspicious. Before opening ask a member of your IT Team to look it over.
Good software, bad malware
If you make it the responsibility of the IT Team to check, download and install new programs then your staff can’t ever accidently download something that poses a security risk.
Unfortunately, many staff will believe it’s safe to download a program as long as they know what the program is (let’s use Microsoft Excel as an example). The problems come when they don’t check where they’re downloading the new software from and perhaps just Google ‘download Microsoft Excel’ then click the first link.
The truth is however these types of programs can often be riddled with virus’, spyware, malware, trojans and worms.
It’d be our advice, to reduce the risk of accidently downloading something like this to a works machine, to implement a complete download protocol where staff are unable to download or install anything without IT’s permission.
It may take a little more time but it will keep your sensitive data a lot more secure.
The Great Firewall of…
If you don’t have a firewall installed get one; if you do make sure it’s kept up to date and the latest firmware is installed.
If you’re using a Wi-Fi network in your office make sure it’s encrypted (with something like WPA2) and make sure you regularly change the password, especially if visitors are logging on to it. Whilst you may trust your guests implicitly, there’s no way to tell if their devices are infected until it’s too late.
Lastly, if your staff ever work remotely, out of the office or from home make sure they log in through a VPN (Virtual Private Network) to avoid any issues with open Wi-Fi networks.
Current and ex-employees might be your biggest vulnerability
In a perfect world there would be no scammers and we’d be able to trust all our employees 100%.
Sadly, we don’t live in that world which means we have to take several uncomfortable steps to protect the workplace from cyber-attacks.
If someone wanted to deliberately download malicious software then chances are they wouldn’t do it from their own machine. For that reason it’s always best to educate your staff as much as possible around cyber security and to implement a policy of locking their devices whenever they step away, never sharing their passwords with anyone or giving remote access to their computer without IT’s permission and although it may sound silly, never leaving their password on a post-it note on their desk.
If someone does leave, especially under bad terms it’s important to change all the passwords they had access to immediately to prevent possible breaches of your secure date.
It’s good practise to keep a record of who has access to what so you know exactly what to update when it’s needed.
Are you using MFA?
Multifactor Authentication sounds a lot more complicated than it actually is, especially when compared against the increases to security it offers.
Simply put, the more barriers you can put in place to make it harder for hackers to access your networks and systems, the better off you’ll be.
Those additional barriers are the point of MFA (Multifactor Authentication).
By combining the need for two or more independent credentials to access data, what the user knows, like a password for instance and what a user has, like a swipe card or other security token, you exponentially increase the security of your data.
Depending on the sensitivity of the data you’re storing you could even go a step further and make biometric verification needed like facial or fingerprint recognition.
It’s all about creating different layers of defence so that even if one is compromised, cybercriminals still have another layer or two to hack.
Implementing some form of MFA is a quick win in increasing your cyber security and doesn’t need to be complicated.
It can be as simple as combining a password with a fingerprint scan or even a security question only known to the user.
Do you even https?
It’s pretty common now but you should still be double checking any website you visit starts with https instead of just the old http.
If it doesn’t it’s not secure so don’t put in any confidential details likes credit card numbers, passwords or address’.
Ever heard of malvertising?
Malvertising is a relatively new way that cyber criminals can add malicious code or malware to your computer. They put viruses and other items into pop up ads then add them into legitimate online advertising networks and websites.
This means you can be doing everything right, just innocently browsing a perfectly legitimate website and still have your computer attacked, often without you even realising it.
Whilst the Ad networks themselves do their best to weed these you or your IT Team can also help by installing an adblocker on all your work machines and making sure your antivirus programmes are up to date.
Your IT Team might be a vulnerability
Hopefully we’re not making you too paranoid here but if you are the victim of a cyber attack chances are you’ll be attacked from a direction you never even considered.
Whilst your IT Team are your most valuable asset in preventing cyber crime attacks within your organisation, that very level of expert knowledge they use can also be a vulnerability. Most members of your IT Team will probably have admin rights and access to every piece of hardware and software within your company… and that’s fine but…
If they’re just working on a day to day basis, browsing the internet etc make sure those admin rights are locked down under a different profile.
There should be no reason they need them on a day to day basis so having them locked away under a different password in case they are attacked adds in an extra step of protection and defence. If on the off chance their computer is then compromised at least the hacker hasn’t gained access to the entire organisation.
Understand and utilise your activity logs
As we’ve already stated, encouraging a culture of digital awareness is vital in protecting your company from attacks from cyber criminals. That’s why we’d recommend you teach all your staff how to check the activity logs of their emails accounts and if used for work their social media accounts as well.
These will show them what browsers and devices they’ve accessed their accounts from and even from what IP address.
If there’s anything then they don’t recognise they can immediately terminate it and reduce the risk of a scammer having unfettered access.
What do you do with all your old devices?
It seems like these days you only need to buy a phone or laptop for it to be out of date 6 months later… but does your company have a recycled electronics protocol in place?
If you’re getting rid of anything that once held any kind of sensitive data on it then it all needs reformatting and returning to the original factory settings.
Scammers go out of their way to buy second-hand office equipment for this reason – as so many companies don’t follow this vital step.
Hopefully this won’t have left you feeling to paranoid, glancing over your shoulder every time you boot up your laptop or unlock your phone.
A lot of the points we mention should be standard practice for most IT Teams, the main thing is to promote a culture of awareness in your organisation around cyber attacks so that protecting the business becomes everyone’s responsibility.