With a world growing increasingly more digital, cyber crimes are more prevalent than ever. Lately, hacking and phishing attempts have been especially aggressive and dangerous, which is why it is more important than ever to protect your personnel and business from cyber crimes.
First, a little background.
Cyber-attacks, also known as hacking, reveal and exploit weaknesses in software. These weaknesses can lead to anything from a malfunctioning computer to a loss of user identity and confidential business accounts.
The most recent threat has been WannaCry, a ransomware virus that locks files on a computer until the user pays a ransom. It self-spreads on a local PC and can even move itself into other unpatched PCs in the same network. In this instance, hackers are taking advantage of a SMBv1 vulnerability in Windows (based on an attack developed by the NSA, code-named ETERNALBLUE, that was leaked by a group called TheShadowBrokers) and are using it to gain ransoms. It’s even spread to hospital and airport systems around the world.
Phishing is a method of hacking that uses false links and documents in emails. Usually, these types of emails are filtered to spam or obviously “not right,” but the most recent phishing can be difficult to detect.
In the latest attack, hackers compromise a user’s Gmail account. Then, they are able to sift through a user’s emails and send Google Docs containing malicious links to various contacts. To the receiver, the email looks like a normal Google Doc from a colleague, but get pulled into the malicious cycle when they sign in to view the document. In the process, hackers receive access to all files and accounts connected to the Gmail account and continue to spread the attack.
While these attacks can be unnerving, there are a few things you can do to protect yourself and your business from these cyber-attacks.
1. Phishing Education
Educate your employees and coworkers about the danger of phishing and what a phishing email would typically look like.
Common Signs of Phishing:
- Something doesn't seem right. If you have the slightest doubt a website or email is legitimate, do not risk it. Report it to someone in IT/security immediately.
- Sense of urgency. "If you don’t do X within 24 hours, your account will be deleted" or "Please log into your account immediately for an important message" etc.
- Look-a-like domains. These are often used in hope that users will not notice the difference, such as www.google.com vs. www.g00gle.com. Always take few moments to look at the URL before entering any information.
- Unexpected emails with specific information about you. Information like your job title, place of previous employment, or personal information can be found in your social media accounts to make a phishing email more convincing.
- Emails requesting you to open an attachment or share sensitive data. Examine these emails closer to make sure the requests are valid before revealing personal information.
Helpful Tip: If in doubt, enter a fake password. When prompted for a password, give an incorrect one first. A legitimate site will not accept the fake, but the phishing site will.
2. Ransomware Education
Educate employees and coworkers on what a typical ransomware attack looks like and how to avoid or stop them.
This is an example from the WannaCry ransomware:
Ransomware Protection Best Practices:
- Back up your systems regularly and keep a recent offline backup. Recent backups will minimize data loss in case of a cyber attack.
- Be cautious of opening unsolicited attachments sent to you via email or social media.
- Don’t enable macros in document attachments received via email.
- Don’t give yourself more login power than you need. For example, don’t stay logged in as administrator if you are only performing regular daily work activities.
- Enable file extensions. This makes it easier to view uncommon file types being sent to you.
- Stay updated. Keep servers and user computers up-to-date and patched.
3. Use Different Passwords
Do not reuse passwords across multiple websites. If a hackers gains access to one of your accounts and all other accounts have the same password, then they’ve gained access to everything. Try using secure password services like LastPass or Dashline to organize and protect your passwords.
4. Update and Patch OS
Update and patch your operating system frequently. Make sure auto-updates are turned on and don’t ignore the alert telling you it’s time to update.
5. Protect Key Computers
Restrict/safeguard key computers that are used for confidential data entry, like accounting, to prevent CEO Fraud type attacks and losses.
A Few Tips on Computer Protection:
- Technical controls. Email filtering, Two-factor authentication, patch/update all systems, access and password management.
- Security policy. Make it a rule that no USB drives are allowed on that system, opening attachments or clicking on links from unknown sources is forbidden, and make security training a requirement.
- A solid wire transfer policy. Have a system in place so large sums of money cannot be sent without interacting with multiple people to verify the legitimacy of the request.
- Require security training. Identify high-risk users (C levels, accounting, HR) and require these users to take training courses to become more educated about high level phishing attacks and fraud.
6. Two-Factor Authentication
Enable 2-Factor Authentication on any of your accounts that offer it (All social media accounts, bank accounts, work email, etc.) By having two-factor authentication, hackers will be unable to access your account without a second form of authentication.
The only way to protect yourself against cyber crimes is to actively fight against them. Share this blog with your friends, family, coworkers and employees to get started.