Security in your Business and the People Problem
Just a friendly reminder about security within the workplace. While I can refer to our post about creating a good password as well as point out the merits of NOT changing your password frequently, I want to bring up the issue of security as it relates to people in your organization and simple human behavior.
Smart Crime and Spoofing
Criminals are getting smarter and smarter. Spoofing is on the rise, where someone sends an email disguised as someone else. Think of it like sending a letter in the postal mail with a different return address. Criminals are sending email as if it’s coming from your boss or your CEO, and they’re asking for specific sensitive information or a wire transfer.
A current popular scam is to email someone in Accounting or someone with access to financials a message AS the CEO or an executive saying money needs to be wired to a particular account. Criminals are getting smart and even saying, “I’m too busy to talk on the phone about this, so do it immediately.”
You can have all of the best bells and whistles in place to secure against hackers getting into your network, but crooks know the easiest way into your organization is through the weakest link, your people. So how do you stop this?
Having an Information Security Policy is a great place to start. Everyone should know the standard of how to deal with information inside and outside of your organization. Review the policy annually and have your staff sign-off on it each year. Better yet, have a presentation or a lunch meeting to discuss it each quarter to keep this fresh in people’s minds. The FCC recently updated their Cyberplanner, and this might be a great place to start.
Sound incredibly boring to talk about security in the workplace with your staff? Imagine being the employee that lost the business $20K because of a fraudulent wire fund request. If I had to give a few pointers, there are a few items we recommend to clients.
1. Make sure that ANY wire transfer is confirmed via a voice confirmation with the designated approver. Have clear guidelines on how wire transfers are to be processed and approved, so there is no confusion if this type of request is received.
2. If you get a document or something that requires you to log-in with your email account to access it (Google, Outlook, AOL, Yahoo, etc.), contact the sender and verbally confirm that this is indeed a valid message. If their account has been compromised, your “reply” will just go to their trash, and they will not see your message. Call them!
3. Be wary of calls from government organizations that you may not be expecting. It’s hot now to get a call from the “IRS” where they threaten to have the police at your door in 30 minutes to arrest you. Criminals prey on you being ignorant to how your government operates. Any legitimate government official will gladly provide identification and a way to contact them WITHOUT getting hostile or threatening you. Verify this information before passing out any sensitive information to the caller.
4. If you ever get a call from “Windows Technical Support,” hang-up the phone. It’s not even worth getting into that scam.
5. Report any suspicious activity to your IT team and management. A standard reporting process should be part of your Information Security Plan or Policy. Never sweep an incident under the rug. Be vocal. Your action can stop the spread of something nasty.
Security in your Business may seem challenging, and this is an ever-changing target, but this is also the new way of life when you’re running a modern business. Keep the discussion going. Make it fun. Did anyone receive one of these email messages? Did anyone receive a call from one of these scams? Relating the concept to someone you know makes it personal, and you’re more likely to remember it if you get hit with it. As always, we’re here to help if you need to implement a plan or policy.
Until next time, have a fantastic week!