Data assets fetch big dollars, whether they're used for identify theft or tax fraud. Rather than operate in stealth mode to break into hardened security systems, hackers often deploy cyber scams, then sit back and wait for employees to inadvertently hand over the keys to the company network and give them unfettered access.
A small-business owner with a tech-savvy team may assume their network is safe. Unfortunately employees continue to fall for phishing scams, phone scams and Wi-Fi hacking. According to CompTIA, a nonprofit group in the IT industry, an estimated 52 percent of data breaches are due to employee error.
Here are some ways you can help your employees to avoid being tricked by cyber criminals and recognize hacker scams.
Phishing scams are attempts by hackers to gain access to a company's network, personal identifiable information (PII) or to distribute a virus throughout its system. They typically come in the form of fraudulent emails that trick users into installing software that contains a virus, and let hackers spy on employees and steal IDs and passwords.
To spot a phishing scam, I would suggest that you tell your employees to first check emails for spelling mistakes or broad language, such as, “Dear Customer." They should be wary of threats, such as, “You must act now or your account will be disabled." These emails might ask for confidential information, including passwords and credit card details. If the user receives an email with a suspicious link, such as a link to a banking website, hover over the link, and if it shows a different domain than the bank’s, it is a phishing scam.
Phone scams are another way criminals might steal PII and sensitive data. A criminal may call an employee and impersonate an internal member of the IT tech support team. The impersonator might ask for user accounts and passwords “to update the computer." Or, someone impersonating a representative from a software company such as Microsoft informs an employee that she has a virus and will help her fix it. Microsoft will rarely call to notify users of a virus. Ask the caller to prove their identity, and they will most likely hang up.
Free, unsecured Wi-Fi hotspots in public places like coffee shops and airports can prove a gateway to information theft. Hackers set up their own Wi-Fi hotspots, link to an employee's computer and steal log-in information.
Whenever possible, make sure your employees are connected to a secured, private Wi-Fi network. Users can download virtual private network (VPN) software that will encrypt the data even if they connect to a fake Wi-Fi hotspot. I would caution against doing online banking or share sensitive information when using free public Wi-Fi; assume someone is watching your every move.
Bring Your Own Device (BYOD)
It's common practice for employees to use their own devices to transfer data from their office desktops to their mobile devices and leave the office with confidential information. The employee could be setting themselves up as prey for a thief who steals his tablet and breaks into his email, which has multiple spreadsheet attachments with PII.
Consider implementing a BYOD policy that outlines safeguards for each device. A good practice may be to have employees who store data on their mobile devices required to:
- Encrypt files that contain sensitive data
- Install mobile wipe capabilities (if the device is lost or stolen)
- Install secure email and/or texting applications.
Criminals can use social networks to gain access to accounts and personal information, too. Hackers might use access to a personal social media account to send a spear phishing email to the person's friends and followers. (This is a fake email that appears to be from a friend and is very hard to spot because it comes from a trusted source.)
For example, if a user posts on social media that he is heading to Aruba and staying at a specific hotel chain, a criminal posing as a hotel registration clerk might put together a spear phishing email to the user's friends that looks like it is coming from that hotel. That may increase the chance that the user opens the email and downloads the malicious virus. One way to stop spear phishing is to minimize the amount of information shared on social networks.
Don't assume employees know about these risks. Without formal awareness programs, employees may make the same mistakes made by so many in others. Consider giving them a one-page factsheet on the most egregious risks for a cyberattack and how to prevent them. Security awareness is often as important as any other employee training required by a small business.
Read more articles on cybersecurity.
This article was originally published on May 4, 2015.