A university in Alberta, Canada recently lost $12 million of public funds because an employee bought into a scam. An email was received from a regular vendor who requested a change to banking info. The change was made. The email was fraudulent and three payments to the vendor disappeared into accounts in Montreal and Hong Kong.
Don’t think for a moment that your small or mid-sized business is not worth being attacked. Many of the ransomware attacks net the perpetrator only a few hundred dollars. It’s the volume of transactions that adds up. So, think about yourself and your employees. Do you all understand how easy it is to be victimized and what you can do to prevent it?
Whether you are concerned about the loss of money, client data or proprietary information, the prevention tools and procedures are the same. You need to upgrade the IT skills of your team and secure their work environment.
Start with training your employees about the most common point of entry, phishing emails.
What is phishing?
Phishing is hacking to gain access to a company’s technology, personal identifiable information or to release a virus throughout the network. The most common way to gain entry for an attack is through phony emails. Employees open the emails, then click on links that install software containing viruses that allow the attacker to acquire IDs and passwords.
Why do employees accept the emails?
These emails are often very plausible. Hackers (let’s just call them criminals) have become quite sophisticated in developing their messages. They use familiar logos and information gathered from company websites and social networks. Such emails might appear to be from senior management with an urgent request for action.
What do you tell your employees?
Help your employees understand how they are so vulnerable to these intelligent, organized scams. Train them to be the first line of defense by:
- Showing them examples of real phishing emails that were successful so they will understand that everyone is susceptible to the deception
- Emphasizing that even antivirus software and robust firewalls are not 100% safe
- Showing them how to identify suspicious emails; e.g. look for spelling mistakes, threats if directions ignored, requests for confidential information, links to shared files such as Dropbox or links to the websites of financial institutions or services
- Telling them never to click on a link that is even a bit suspicious
- Implementing a process for alerting IT security, perhaps even offering a reward
- Cautioning your mobile workforce about the dangers of using public wi-fi and the need to immediately report any lost or stolen device so it can be de-activated
How to confirm the seriousness of phishing?
Although your employees might say they understand and will be on the lookout for phishing emails, the Verizon 2016 Data Breach Investigations Report warns that 55 percent of these emails were successful even though the victim had participated in security training. Share that statistics.
You might also want to run tests occasionally to see what goes through that should not. There are even companies that conduct mock phishing campaigns. Although your employees might tend to take such simulations as an affront to their trustworthiness, you could tell them at the end of training that you will be testing the system as a reminder to all of you to be alert.
The specialists at Digital6 Technologies would be pleased to review your IT system, identify weaknesses in its security and plan training sessions for your employees as part of a more comprehensive IT security solution.