Cybersecurity 101 – Part 2: Cybersecurity at Work

Every year, thousands of companies fall prey to attacks on their network and equipment. No one is immune; from small businesses to large corporations like Home Depot and Sony, cybersecurity threats are a problem which must be taken seriously.

As the Internet of Things, cloud platforms, offsite storage, and other technologies gain in popularity, their susceptibility as a security breach point does, too. All companies should have risk management strategies and a strong cybersecurity culture in place. In this three-part series, we discuss tips for protecting yourself against cybersecurity threats in the workplace, the home, and on personal devices. In our first segment, we discussed the types of cyber threats and various ways to defend against them. This week, we’ll look specifically at the workplace, and steps to protect your business.

Understand security is everyone’s responsibility.
Develop an awareness program within your organization which educates and empowers both your customers and employees to maintain regular awareness of security threats. Make sure your program is an ongoing process and not just a one-off activity. Assign security “experts” within the company who can keep training efforts fresh and updated.

Security first!
Make sure new hires are immediately brought into the fold with your cybersecurity efforts. Every employee should know their part in the awareness program, how to watch for suspicious activity, and where to report it from day one.

Keep it personal.
Personal information about yourself, fellow employees, company practices, remote access to the company network, etc., should never be discussed with people outside of the company, even if you are acquainted with them. Scammers and social engineers use this information to exploit and gain access to company data. Whether the request is via email, telephone, text, or in person, all information should be kept confidential unless the requestor’s identity has been verified and approved.

Protect yourself from phishing.
Phishers are adept at masquerading as legitimate individuals or companies. If you receive an email from an unknown sender, the best practice is to never open it. If you do, read it thoroughly. Grammatical errors and misspelled words are commonly found in phishing scams. Never click on a link in a suspicious email; they often contain a virus or lead to a malicious website disguised to look like a legitimate domain. Instead, use your browser to go directly to the company’s website. If you think you’ve received a phishing scam, delete the email message completely.

Beat the BEC
Business Email Compromise (BEC) is a sophisticated scam which targets businesses who work with foreign suppliers and/or regularly perform wire transfer payments. First, they compromise legitimate business e-mail accounts through social engineering or computer intrusion, then they conduct unauthorized transfers of funds. The Financial Services Information Sharing and Analysis Center recommends additional steps to protect your company against BEC:

  • Create intrusion detection system rules that flag e-mails with extensions similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
  • Register all company domains that are slightly different than the actual company domain.
  • Verify changes in vendor payment location by adding additional two-factor authentication, such as having a secondary sign-off by company personnel.
  • Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
  • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
  • Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.

Next week, we will wrap up the series by taking a closer look at personal cyber protection, including your home computer and mobile device.