Being our own worst enemy in enterprise security
Two recent dinner conversations have revolved around cyber-security. A deep topic when you have a techie at the table.
And here I am today, about to attend a security event sponsored by one of our partners, focusing on online fraud.
It’s a frequent discussion. We can’t go a day it seems without hearing of yet another story of an attack on a business, school system, social media site – you name it.
Let’s take a recent story: A malware attack hit a local school system because of a clicked link in an email.
They weren’t “hacked” per se – the school system wasn’t specifically targeted, although the fact that several systems use the same online resources may have been a factor.
The school’s backups weren’t adequate. Some teachers lost 10-plus years of materials.
And the results can be catastrophic for those involved. Identity fraud, loss of income, drained bank accounts, decimated FICO scores, all results of what seems like an innocent click of the mouse.
So what can you do?
There are a few pointers I bring up whenever these conversations occur. It may not be an exhaustive list, but they are a few basics.
- The IRS, your court system, etc. will NOT email you with a summons, delinquency notice, or any other official document. Delete it. They will send you a physical letter if there is an issue that requires your attention.
- Your bank may email you. However, they should never be asking for your account information. If an action is required, visit the bank website directly via your browser.
- Watch out for funny looking letters or characters in names or the body of the message. It doesn’t take a lot of skill to create a message which looks real to most people. But sometimes there are strange characters in the email – an image where a letter should be, for example.
- Watch out for emails from banks or other online services you aren’t a customer of. These services could be Amazon, Office365, or any number of different services that may charge a large upfront or recurring fee.
- Don’t fall for the “porn” trap. A rash of emails claiming to have video of their targets viewing adult content and threatening to distribute the video to all of their friends is a common scam these days. The email may contain a real email address, even an actual password in it. They almost always want you to pay in Bitcoin or other cryptocurrencies. Don’t fall for it.
- Change passwords! Do this frequently, and don’t use the same password for multiple websites or services. It’s a good idea to use a password manager to help with this. There are many stories of victims where they used the same password and email address for login across many sites, leaving them open for attack on several fronts.
- Never use work email for personal activity. You don’t “own” the work email address. You never know when you might lose access to that address. Gmail is free – use something like it for personal activity.
Remember, an attacker only has to find ONE way into a system. You have to protect against everything. Time is on their side, not yours.