You’ve been lucky so far with no major virus infections or cyber attacks! However, with 43% of all attacks targeted at small businesses, how long will your luck last? We Irish say “If you’re enough lucky to be Irish… You’re lucky enough!” Well… that’s almost true. This St. Patrick’s Day, don’t leave your computers, customer data, employee files and software licenses to the “luck of the Irish.”
Criminals, both the lone hacker and organized crime groups based overseas, know that small businesses are easier targets than large corporations because they have fewer resources to dedicate to cybersecurity. Small business owners can significantly reduce the risk of these attacks by taking these 3 actions:
- Train employees how to spot fraudulent emails (and other attempts to gain information)
- Require verbal confirmation before sending anyone money
- Implement dual factor password management
Employee Training
Email remains a popular method to obtain sensitive information or infect computers with malware, and your employees might be helping hackers achieve their goals. Thirty percent of people open phishing emails, and 12% of people open unsolicited attachments.
Phishing emails appear to be from reputable sources, but their purpose is to trick recipients into revealing personal information. For example, if you received an email that appeared to be from your bank and it asked you to verify personal information such as account number, address, SSN, or your password. A hacker could piece together enough information to guess your passwords or impersonate you by combining phishing emails with information about your pets, high school and family available in your social media profiles.
Although it’s possible that hackers may attempt to gain all of the information they need at one time, it’s also common for them to engage in grooming your employees over several emails to deceive them into releasing information over time.
Fortunately, employee training in spotting a fraudulent email can mitigate your risks. Security training will demonstrate the “red flags” that appear in suspicious emails:
-
- Email addresses do not match the sender’s name or company
- Hovering over email links show an address that does not match the sender’s company
- Unsolicited attachments
- Requests for passwords or identifying information
- Requests or promises of wire transfers
Employee training can be completed in under an hour, either at your site of business or in our training center. In addition, ongoing testing can be established to continually train employees on current security risks.
Wire Transfer Policy
Phishing can be used to collect enough information to credibly impersonate (or even hack into) a manager, vendor, or customer account, then send emails that convince employees to transfer money. The FBI’s term for this scam is “business email compromise” or BEC for short and report that losses now total more than $3B.
These requests will be sent as an urgent matter with a past due date, meant to create a situation where your employees feel pressured to complete the request as quickly as possible.
This scam has affected businesses of all sizes, in all industries. One popular variant is impersonating the CEO to request the employee transfer money to a vendor. The email “looks like” it came from the CEO, so the transfer is completed without any follow-up. In 2016, an executive at toymaker Mattel wired $3M to China after receiving an email she believed came from the CEO.
To prevent employees from falling prey to this tactic, implement a firm company policy that treats all requests, especially “rush” orders, with care by requiring verbal approval from the owner to initiate money transfers. This verbal agreement needs to be in person or by calling established contact numbers, not by following instructions in the wire request email.
Password Management
Technology solutions like dual-factor password authentication can help prevent hackers from gaining access to computer accounts, even if they’ve obtained considerable information through phishing attempts.
Dual-factor password authentication requires users to not only know a password but also have something – a text message to their registered phone, a password token, or other unique code. Users without both pieces of authentication will not be able to log in, thwarting the attempts of a hacker who is impersonating an employee.
Remember “There’s no need to fear the wind if your haystacks are tied down.”
Ready to Secure Your Business?
arielMIS can train your employees, implement cost-effective dual-factor password authentication, and provide security management. We’re trusted by small businesses and nonprofits to keep their networks and data secure. Let us show you how.