6 Simple Steps for Better Business Security

You’re sitting at your desk and you’re innocently browsing your emails. You click on one with a strange subject line, insisting you must open “an critical attachment”. Without much thought, you open the attachment and – oh great, you’ve been hacked. IT support spends hours trying to contain the breach.

Oops.

A week later, your phone rings. The person at the other end of the call claims to be an IT technician. They say that they’ve got to run routine maintenance on your PC, but they’ll need your username and password to complete it. You’re used to the ol’ IT update game, so you think nothing of it. You go about your business like normal, until… your computer suddenly gets remote controlled, locking you out.

You’ve been hacked. Again.

What Gives?

Most companies would be quick to blame the employee in these situations. However, that’s not the full story. The problem isn’t that employees are easy to fool, or that they’re not smart enough. The truth is they’re untrained and unprepared.

75.6% of organizations encountered at least one successful cyberattack within the past 12 months. That’s a scary statistic. But it doesn’t mean all hope is lost – adequate training can dramatically reduce this number.

How’s that, you ask?

Start by following these six simple steps that fight back against business security threats.

1. Get Better Passwords

Passwords exist pretty much whenever there’s sensitive data involved. There’s a 17% chance we know your password. Is it 123456? If it is, 

please go change your password right now. Password security is simultaneously one of the easiest things to take care of, and also the one of the most annoying.

Modern computer users have to remember dozens of passwords for individual sites and applications. Even so, it’s important to have a good password consisting of uppercase, lowercase, and numerical elements. If possible, throw in some special characters too.

2. Lock It Up

Improved password security is a great start, but there’s plenty more to do. Here’s another highly important habit that all employees need to get into: locking their computer. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors. Physically accessing a machine is easy as pie whenever it’s out in the open like a sitting duck. (No offense, ducks – it’s not like you can read this whitepaper).

When you lock your computer, you’re adding another level of security that a malicious person has to get through. Network administrators can also establish policies throughout domains that lock people out of computers after a certain number of attempts for even more protection.

3. Keep It Clean

When you store a lot of stuff on your computer, you’re giving viruses and malicious applications a wide range of places to hide. An infected document is hard to find among a sea of clutter. But with the proper usage of folder structures, computers become easier to manage for both IT departments and employees.

After all, it doesn’t take much to fill up the desktop and have it turn into a word-search game (and people always manage to do just that).

4. Save to Secure Devices

IT departments should discuss the importance of saving documents in appropriate folders. Employees usually don’t have the option to backup their own data, so this tip requires collaboration between administrators and computer users. Employees should be trained to save their files to specific folders, hard drive partitions, or network devices. From there, IT admins need to regularly backup their data to safe locations. In the event of a disaster, restoration of data becomes easy.

5. See Something? Say Something

Employees should never be hesitant about flagging suspicious activity. After all, it’s always better to be safe than sorry. If a user receives an unusual email with an odd attachment, you need to give them access to IT support that can answer their question. Yes, it’s possible that Carol from HR will flag a Java update eight times in a row… but it’s also possible that you catch something far nastier, such as a ransomware virus or a phishing attack.

6. Stay Informed

Lastly, an easy way to improve business security is to just keep your employees informed of the latest changes in the network security landscape. While it may not always be a riveting read, sharing the occasional IT security article here and there throughout the office can be a great boon to your security strategy.

What better way for employees to prepare for possible incoming cyber threats than to read about them directly?

Better Business Security for You

Implementing the tips listed in the six steps can drastically change the effectiveness of your business security strategy. Your employees will be better prepared with proper security habits and an overall improved knowledge of lurking threats. However, there are two drawbacks:

Time and effort.

Proper security awareness training can take a lengthy amount of time. Without the right people conducting that training, you may just waste precious time. Of course, efficient training stems from a hefty amount of effort too. You may not be equipped to run effective training sessions and informative events, but luckily for you, that’s what we’re here to do.

Diverge IT can help you with your security awareness training. To find out more about how we can boost your business security and keep your organization safer than ever, shoot us a message.

Image of Phishing

Your Go-To Guide for Identifying Phishing Attacks

To a cybercriminal, you’re nothing more than a big, juicy fish. You’re slow, you’re hungry, and they don’t expect much from you in terms of intelligence and strategy. That’s exactly why they throw their “worm” in the water and hope you gulp it down without a second thought. But you’re not the only one – the cybercriminals cast a gigantic number of lures out to try and snag anyone who is willing to take the bait.

The practice is called “phishing”, and it’s a pretty apt name for this type of cybercrime.

PhishingWhat phishing IS:

In short, it’s a type of cybercrime that aims to convince you to divulge information to the criminal. Instead of malicious code and software, the cybercriminal depends on deception and simple trickery to gather personal or sensitive information from the victims. From there, they gain access to critical files and data.

hackerWhat phishing IS NOT:

Phishing is often confused and grouped with hacking. However, hacking requires the knowledge of programs and code that exploit (or create) gaps in security infrastructures. In other words, hacking extracts information involuntarily, while phishing requires users to hand over information willingly.

Though phishing isn’t necessarily invasive, it doesn’t mean it’s conducted without effort. Phishing attempts often rely on expertly crafted emails, documents, and even websites. If it can be copied or mimicked, cybercriminals will use it to phish for information (a process known as “spoofing”).

But it doesn’t stop there. Phishing isn’t a straightforward trick that you can easily ignore. It requires constant attention, intelligence, and a basic sense of awareness. Phishing attacks have become a natural part of running a business: the total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015.

But all hope is not lost. The multiple different types of phishing attacks have their own unique twists that you can spot if you know what to look out for.

Pull Quote

Clone Phishing

When cybercriminals get their hands on an email, they can do a lot with it. For starters, they analyze everything – from the user-sender relationship to the tone and kind of language used in the email. With this information, they can create an almost identical email that can be nearly impossible to distinguish from the real version. The difference with the clone is that it usually claims to be a “resend” of the original email due to one reason or another.

Usually, the email that they clone will be one that contains attachments. When they resend the email, they send an infected attachment with the same filename and size. This helps them to gain a foothold within an infected machine, possibly infecting others within the same network. These can be tricky and may require assistance to confirm authenticity when you have concerns.

Website Forgery

This web-based attack is also known as a “deceptive site”. The cybercriminal goes through the process of building a site that is nearly an exact replica of the target website. When a user arrives on the site, they browse it like they would for the original site, since it contains the exact same functionalities. Often, the user won’t be able to tell that they’re on a fake site because a fake URL will be overlaid over the address bar on the site.

Once the user submits any information on the site (such as email addresses, passwords, credit card info, etc.), the criminal has won. This attempt is hard to spot and even harder to defend against. The credit giant Equifax recently fell for a website forgery attempt, and actually directed its users to go to the fake site on accident.

Man using phone

Phone Phishing

Phishing attempts don’t always find you through an email or a browser. Sometimes, the most convincing attempts actually come from phone calls. Usually, the cybercriminal will use untraceable VoIP services to conduct the calls.

The attempts usually go something like this: first, they claim to be important services, such as debt collectors, banks, and hospitals. Then, they prompt their users to enter in information such as account numbers and PINs. When the criminal has what they want, they simply hang up and move on to their next victim. It’s helpful to remember that most important account notifications or confirmations requiring personal information will not be delivered or requested by phone and usually not via automated voice service.

Spear Phishing

Generally speaking, phishing targets the masses. More than a fishing pole, it’s more accurate to think of it as dragging a large net. It’s imprecise, and it tricks only those that don’t know what to look out for.

But spear phishing is nowhere near as clumsy and imprecise as most other types of phishing.

Pull quote

Spear phishing targets a specific company or group of individuals. Criminals behind this approach take their time; they gather as much information as they can before taking any action. Because of this, spear phishing attacks often take many months, and in some cases, even years. In other words, while the approach is usually like types of phishing, there is a massive amount of research behind each and every word. According to Symantec, spear phishing emails have targeted more than 400 businesses every day, draining $3 billion over the last three years.

Whaling

The most dangerous type of phishing is actually a variant of spear phishing. Whaling earns its name because it goes after the biggest targets in a business – the executives. The content of whaling attempts typically deals with executive-level issues while carrying itself as an important email. Often, they disguise themselves as legal subpoenas, customer complaints, or as fellow executives needing important information.

Once the executive of the company falls for the scam, the company can suffer greatly and even shut down completely.

So What Can You Do?

There are no two ways about it – phishing schemes are tricky cyberattacks to deal with. The number-one defense mechanism against them doesn’t come in a pre-packaged box, and isn’t sold in stores.

 

The best defense is user awareness and proper security training.

Diverge IT can help you attain and maintain proper security awareness. We’ve been protecting businesses since 1999 from hackers and all kinds of malicious cyberattacks. If you’d like to learn more about what we can do, reach out to us today.