With the advent of the Internet, the world is totally interconnected. We all need to do our part as employers and employees so as not to become the weak link for a cyberattack. Now, more than ever, cybercriminals use everyday crises as an opportunity to steal your data and money.
How you prepare as a business can make the difference between staying in business or not. When it comes to cyber threats, there is a connection between misfortune and cyberattacks because cybercriminals prey on your generosity, curiosity, fear, and greed.
Cybercriminals want you to disclose sensitive information, infect your computer with a virus or malware, get you to open links so they can steal data, and even gain access to your physical location.
The Internet is the new delivery channel for criminals. Today, with smart homes and the Internet of things, cybercriminals have more ways to steal from you. For example, we recently equipped our home with smart door locks. By not taking the proper precautions to protect my home’s Wi-Fi network, a cybercriminal could very easily hack into my network and just unlock our front door while I was away. They could even remove any signs they were there, by deleting video and door lock history.
Cybercriminals use your own emotions as a way to manipulate you into divulging confidential or personal information that they can use for fraudulent purposes. In the cyber world, this is referred to as social engineering.
Cybercriminals often disguise themselves as legitimate individuals or organizations to either scare you, perhaps by saying they work for law enforcement or the IRS, or to win your confidence by saying they are with the SBA or Microsoft.
Threat Vectors For Cybercriminals
There are several ways cybercriminals perpetrate their crimes. These are known as Threat Vectors. Here are some of the most common.
Phishing
Phishing attacks are malicious email links. Concerns with Covid-19 has caused a huge surge of phishing attacks as people go online looking for information about the coronavirus. Phishing is the holy grail of attacks since your email address is, for cybercriminals, the gift that keeps on giving.
Imagine you open your business email account and see an official-looking email from someone that you know in your company that reads: “Staff member confirmed as having Covid-19. Click on detailed guidelines on how to keep safe.” Would you click on the link? If you did, you just opened the door to a cybercriminal. This is a real-world example and demonstrates just one way that cybercriminals prey on people during a crisis.
In fact, cybercriminals used phishing emails during the coronavirus stimulus rollout to attack small businesses by impersonating the SBA with a very convincing email, saying they were assigned to help the business get access to PPP and EIDL loan programs, hoping to gather sensitive information, including the company’s banking information. Just click on the link to schedule an appointment with an SBA loan representative, the email would say. The email looks legit, complete with the SBA logo, unfortunately, if you click on the link, you just exposed yourself to a cyberattack.
All it takes is just one untrained employee to open the floodgates to your network. The best advice for phishing attacks is that if you suspect it is a phishing email, hover over the link (don’t click on it) and read the address where the link takes you. “When in doubt, throw it out.”
Another common way phishing attacks occur is when cybercriminals scrape your social media for job-related postings. If you just got a new job and posted it on a social media site, like LinkedIn or Facebook, you might get a very legit-looking email posing as your new employer’s HR department, asking you for information to complete your employment record. Or perhaps, you recently lost your job and posted it on social media. In this case, you might get an email with a fake job posting that sounds like a perfect fit for you with a “Click here to apply” button that is fake.
Vishing
Vishing is similar to phishing except for the fact that your receive a fraudulent phone call. The above job-related example might just as easily occur with a vishing call, to get you to provide sensitive information such as your social security number, bank or credit card information, or your driver’s license number.
SMS
Cybercriminals also target cell phones. Many cyber attacks start with a fake SMS message. A common ploy is to send you a message that looks like it comes from a carrier like FedEx, UPS, or DHL. The message may say your delivery is delayed and provide a fake tracking link. Or the message may state that they attempted delivery but nobody was there, so they want you to click on a link to schedule an alternate delivery time.
Social Media
Social media is another soft spot that cybercriminals exploit. A common ploy is to provide a post asking for your opinion about a particularly emotionally charged topic such as #BlackLivesMatter or #OccupyWallStreet or how you feel about candidates in an upcoming election.
Generosity Fraud
After a crisis such as a flood, fire, or hurricane, many cybercriminals set up fake websites to get you to donate money to a fake cause. They impersonate a charity or non-profit organization and prey on your generosity to steal your information and money. Never donate through an unsolicited ad. If you do not recognize the URL, don’t click on it. If you want to donate to their cause, do some research on Google about their business to see if it is fraudulent or use the charity navigator before you donate.
What You Should Do To Protect Against Cybercriminals
Email security – Train your employees on email security before you give them an email account on your system. Make it clear to every employee that if they don’t know the person who sent the email or if the email appears slightly out of context or odd in any way, not to click on any of the links. The first step is to hover over the link to see where the URL link goes. If it is the least bit suspicious, don’t click on it. Better to contact the person that sent the email to verify they sent it than to be the one that exposes the company to a cyber attack. If the context of the email is emotionally charged, it may very well be fake.
If you share sensitive information, you should be using some type of file encryption. You can add the free Pretty Good Privacy (PGP) encryption add-on to most popular email programs. For a more secure encryption solution if you are dealing with information protected by regulations, such as HIPPA, consider Virtru.
Passwords – In the old days, we use to have to remember passwords. As a result, we used the same password on several different websites and apps. Moreover, we used words that made sense to us such as a pet’s name, address, or birthday. Today, hackers are pretty sophisticated, and creating a password that you have to remember are remnants of the past.
Many websites and apps that require a login offer a randomly generated nonsensical password. These randomly generated passwords, which include uppercase, lowercase, numbers, and special characters, are nearly impossible for hackers to discover.
But how do you remember these passwords? Subscribe to a password manager program. Password managers, such as the one I use from KeeperSecurity allow me to store these randomly generated passwords for each of my accounts safely and securely across all of my devices. These password managers will allow you to save and populate your login screen using either a single master password or biometrics.
If you are still using passwords that you created as opposed to randomly generated ones, never use the same password on different accounts. This is especially true with your bank account login.
Many logins offer two-factor authentication. Most have you respond to a secret question such as the make of your first automobile, or your mother’s maiden name. Once hacked, this kind of information is easy for the cybercriminal to find. The best practice is to simply lie. Make up and record answers that are not true.
Never save passwords on your browser. And never save passwords in a word or text file called “Passwords”. A simple file search will identify any files that contain the word password in it.
Software Update – Nowadays, many products use firmware. Make it a practice to make sure that your firmware is always up to date. When a company discovers a hole in their security, they will issue a patch or a new update to fix the security hole. The same is true with applications and programs that you run on your computers.
Some apps and programs, such as Windows, allow you to select an auto-update option. However, sometimes an update does not install properly, leaving you vulnerable to a cyber attack. It is a good practice to periodically manually check that your programs and apps are all up to date.
If you get a message saying that you need to update your software or firmware, make sure it is real. Rather than follow the link in the message, attempt to check it manually.
Keeping your programs and apps up to date will not only improve functionality but plug security holes as well. Make sure all your software is up to date.
Have a Plan – As a business, have a continuity plan in the event that you lose access to your data. Make sure you backup your data regularly and store a copy offsite or in the cloud just in case you can’t get access to your business office.
Consider purchasing Cyber Liability Insurance. If a cyber attack or data breach occurs, dealing with the fallout and getting a business back up and running can be quite costly, so get a policy with a minimum of one million in coverage. More than 60% of companies hit by a cyber attack go out of business in less than six months. Cyber liability insurance covers the costs of replacing hardware and software, lost earnings for the business if an attack leaves it unable to operate, legal fees that may arise from customers who file a lawsuit based on a data breach, a PR campaign to resolve reputation management issues, fines and penalties that may be given to the business, and even hiring experts to help deal with it all.
Wi-Fi Safety – Get savvy about Wi-Fi access. You will want to make sure that your business and home routers have some type of end-point protection to block cyber threats before they get to your network. This is especially true when it comes to sensitive information.
Most routers have a private and guest Wi-Fi access point. All your home or business devices such as computers, printers, and other networked devices should be connected to your private Wi-Fi access point. The guest Wi-Fi access point is just connected to the Internet and not all the devices in your home or business network. This way, guests will not be able to accidentally download malicious files or programs that can spread across your local network.
If you regularly use public Wi-Fi hotspots, you should be particularly vigilant. At the very least be sure you have a full system cybersecurity program on your laptop or cell phone.
If you travel frequently, consider using your own hotspot, either via your smartphone or with a dedicated mobile hotspot device such as Verizon’s Jetpack.
Another option if you are using a public Wi-Fi connection is to set up a virtual private network (VPN). Steer clear of VPNs that you pay a monthly subscription for. Instead, create your own VPN if your Internet service offers decent upload speed, not download, of 15 Mbps or more, provided you are not streaming videos where you will need even more upload speed. While a VPN adds an additional layer of security, it comes at the cost of speed.
Company Computer/Software – Today, many employees work from home using their own personal computers. This is a huge cybersecurity risk for your business. When your employee is using their own computer, it is likely that they and their children have or will download software that may contain a virus or malware. That virus could infect the employee’s work files and be transmitted to other computers on your network. If you have employees that regularly work from home, give them a company-owned computer with all the appropriate firewalls, anti-virus/malware, and if necessary, encryption software installed by a trained professional. Give the employee a user account so they can’t install unauthorized applications and reserve the admin account for your cybersecurity trained IT staff.
For more information about remaining cyber safe, check out the following resource libraries:
- National Cybersecurity Alliance
- Federal Trade Commission
- Cybersecurity & Infrastructure Security Agency
- National Institute of Standards and Technology
Is your business cyber safe?