“How far do you think you can go?”
I still remember asking myself that question whenever I started to learn to ride my bike.
Truth be told, I learned to ride a bike a bit later than most boys in the United States. In fact, I didn’t really start to ride my bike until I was 9.
I remember the weekend that I finally learned to balance…and to peddle…and to wreck! Yikes!
The problem was, after I had learned to correctly ride a bike, I didn’t have the final parts of the process. The full method, from beginning to end, that I thought I would need, was incomplete. I thought, ‘ok…balance, then push off, and then…then…peddle, and then win’.
The flaw?
No one had taught me how to use the brakes!
Could you imagine a pilot learning to take off, but never learning to land? Or what about a salesperson learning a product to sell it, but never learning the language?
In business security, we need more brakes
Now, just like when I was 9, we need more ‘brakes’.
Your business security involves using multiple layers of security, and safety, pre-installed as well as learned over time. However, when we learn how to use every part of the system, from the peddles to the brakes, we learn how to use the system correctly.
Today, we are going to look at that process of onboarding new employees with the correct information. After all, if you do not give your new employees the overview of your security methods, how do you expect them to adhere to them?
How to report data breaches
Data breaches in businesses happen. Darkreading reports that there were over 4,100 data breaches resulting in 4 billion and more records in 2016. The business sector account for over 80% of those records.
Reporting data breaches is not irrelevant. The sooner a data breach is reported, the faster it can be halted and corrected.
Take services offline
The first method of halting data loss is to simply remove services from being online. The issue is that your business could be down for some time from this. However, if a system-sensitive element is compromised, it makes sense to remove it’s ability to communicate from other systems.
Monitor affected systems
Monitoring the affected systems in your business is essential. Your business security doesn’t end with the fix of issue, but determining when the fix is actually working or not. By closely monitoring all exit and entry points, and reviewing activity, you can determine any more faults.
Interviewing those involved
Finally, you need to interview those who reported the breach, those involved with the breach and any employees and customers involved with the data that had been leaked. Sensitive data needs to be quarantined, but employees should be as well if they are involved.
Review and discuss your password policy
Password security is essential in business. Without any proper training and monitoring, your employees could be opening up point of intrusion all over the place.
Proper password training starts with a proper password policy.
A password policy will eliminate one of the largest points of hacking attempts. If an employee does not use good password methods, their data isn’t the only insecurity. A poor password policy used by your employees also means that all of your business data could be compromised.
Not only should your business passwords be covered. Your password policy should discuss and extended your business and into your employees’ personal information.
What passwords should be covered?
- Email login(s)
- Computer login(s)
- Mobile phone login(s)
- Google account login
- Facebook login
- Twitter login
- LinkedIn login
- Bank login
- Retirement plan login
- Bank PIN code
A large tip that we always give is to use one password for only one platform. Meaning, your password, no matter how secure, should be used with only one login source. Your Facebook password should be different from your bank password, and your bank password should be different than your email.
Discuss social media practices
Social media is used by everyone. The last decade has seen major growth on various social media platforms.
Social media, therefor, is also a target for people attempting to infiltrate businesses today.
Smart Insights has recently reported that there are over 1.8 billion active Facebook users. Instagram boasts 600 million active users. Twitter has over 300 million active user. And even LinkedIn has over 100 million active users on its platform.
How can your business secure your employees against hacking attempts using social media?
Remove business details from social media
Whether you work for a multi-billion dollar company or a local drugstore, detailing the link between an employee and the brand isn’t always good. In fact most companies actually detail what link can be made between their work and not. Some don’t allow you to display any pictures of your uniform or company branded outfit. Others do not even allow you to post publicly that you are working for them.
Why?
For PR purposes, companies can protect themselves from the employee stating public information as fact or representation of the brand. The security reason is that a hacker targeting a company can focus on employees rather than ownership.
Don’t post unique employee information validators
Companies also should make it clear that public information like addresses, phone numbers and even birthdays, could be problematic. For instance, some security questions use birthdays as their answers – and you are celebrating them publicly.
Discuss email practices
Email and social media are the two ways that we communicate. In this day and age, email allows for fast and simple methods of sharing data and information instantly.
However, there are pieces that make it an issue. The transmission of the email data, the storage of that data…it all needs a security focus.
The most basic thing that you can do is cover the most basic email problems.
- Never send email attachments
- Don’t mention sensitive customer data
- Don’t trust outside emails from public carriers (GMail, Outlook, etc)
- Don’t click links, EVER
- Never accept email attachments
In this day and age, we as a society online still do many of these above. For consumer needs, these are insecure. For business security, this can kill your brand.
Review your BYOD policy
A BYOD policy is simply a method of outlining practices that include an employee using their online-compatible devices within and for your business. BYOD means “bring your own device”; this is often a synonym for “the internet of things”.
What makes BYOD usage so beneficial is also what makes it so terribly insecure.
Using any non-terminal device outside of the confines of a workplace instantly creates a security flaw in your business security.
This means that just by using devices not housed inside of and maintained by a business, opens the business up to countless points of intrusion and hacking possibilities.
How to handle BYOD for business correctly
First, detail how devices can and cannot be used. This refers to both personal devices inside of the workplace, and workplace devices outside of the business. You should detail issues with business network security, and public wifi usage.
Next, you should have a plan for how security upgrades and maintenance should be handled. Devices that delay updates and upgrades open themselves up to massive security holes – some of which do not get reported on until years after initial issues.
Finally, security best practices should be used on an employee’s personal device within the work space that are being used for business devices. This seamless security policy will allow for as many security issues to be handled prior to an incident. As well, when they do occur (not if), it allows for your business to keep operating correctly.
Implement and discuss access control
Access controls do not only work to keep the bad folks out.
A good set of access controls allows for the good people to keep the good information in.
Think about this…
According to McAfee, 21% of data breaches occurred due to internal employees, in accidental ways from a 2015 study. In a study from Identity Theft Resource Center, 8.3% of data breaches were from complete user error.
Implementing and detailing what access controls standards that you use protects users from themselves. You can actively segment users based on needs, and then keep sensitive data out the hands of people who do not need it, no matter how trusted.
Review the policy for data removal, deletion & destruction
You may have a fantastic policy on security and data storage and transmission. You may also have a very well-written and used password policy, social media policy and BYOD policy. And, I’m hoping, you also have a great escalation and reporting policy for intrusions.
But what happens when sensitive information, on PCs, laptops and in physical forms, needs to be destroyed?
A simple ‘delete’ keystroke might not be enough. You, likewise, don’t simply toss a file full of social security numbers into the garbage if you have no need for them, correct?
By having a plan for the destruction, deletion and data removal process, you are strengthening your security. Compliance fines, industry regulatory fines and other business penalties can accrue by not securing these actions.
Clarity in not using email attachments of sensitive data
Email attachments was discussed before. However, this is such a widespread issue that it needs to be mentioned again.
Unless you personally know that sender, and you are in ongoing discussions with them, don’t even considered clicking on attached files. Add in other layers of security like using business emails and PGP and you can feel safer, but never feel 100% safe.
Why? Well, mostly because hacking attempts via links are just as dangerous.
Email hacking attacks are a very real thing. The most recent involved GMail. However, Outlook/Hotmail, Yahoo! Mail and AOL Mail have all had recent, and ongoing attacks.
Your business emails are also susceptible. Spam filters and black list tables are not the only methods of filtering these types of hacking attempts.
What is the top methods of email hack for businesses?
The main hacking attempt with business email is, was and will be phishing attacks. A phishing attack via email relies on users cycling through a lot of mail that looks legitimate. You, as the target, click on a link, attachment or file, because you trust the source. The hacker then directs you to a login, installs a virus or malware, or some other end result.
Because this attack relies on trust, other hacking types are used in conjunction. Hacking attempts like phishing, pharming hacks, malware attacks and ransomware attacks are all usually seen side by side during these attack attempts.
The easiest way to prevent these attacks:
- Never click on links
- Never click on attachments
- Don’t trust public emails that are unsolicited
- Do not trust the need to ‘login’ from an email
These are just some starting tips to follow, constantly.
Discuss basic hacking: phishing, spoofing & malware
Your business needs to deal with many different types of hacking attempts. For the best business security, your employees should have a working knowledge of what these are, and how to stop and prevent them.
It is beyond the scope of a single article to cover every version of a hack type. However, below, we’ll be looking at three of the most common ones.
Phishing / Pharming Attacks
Phishing attacks work by attempting to bait you into an action. They use trust indicators, and simple techniques to get you to click, download and/or login under false conditions.
Pharming, much like phishing, relies on you trusting the original source. Pharming, however, is a more passive approach to this. Where phishing usually starts with spammed emails, pharming uses other approaches.
Most phishing attempts we have seen involve Bank of America, PayPal and other financial institutions. These emails use the exact branding of those sites. Users click the baited link, and are presented with a valid looking login form for their PayPal or bank. After login, nothing happens – except those hackers just got an email with your details and you lose everything.
Phishing and pharming are sometimes also interchangeable in definition and use. As well, phishing and pharming are nearly always used in conjunction with spoofing and masking hacking attempts.
Spoofing (Masking) Attacks
A spoofing, or masking, hack attempt uses very closely matching email address of trusted source, or URLs. Most of these attempts use branded indicators to correlate trust to the message.
Phishing (pharming) is used alongside spoofing by spamming messages in email or on social media, and then using HTML or closely matching URLs to force logins or other actions in the victim.
A good example exists with Facebook. You receive an email from a ‘friend’, or you see a link shared on Facebook itself. Upon clicking the link from the trusted source (either on social media or from email), you are taken to what appears to be the Facebook page…you’ve been logged out for inactivity. This is reasonable, but is untrue. When you go to enter your details and click submit, you are taking to your Facebook news feed.
What happened?
Unfortunately, you just gave someone access to your Facebook account. And now, they do this same sequence again, and again, and again.
Malware & Ransomware
Malware and Ransomware are the two most dangerous end-results of poor security and hacking attempts. Both involve getting you to actively download and install software. A small minority of malware attacks involve a passive installation of the offending software, and its execution.
In fact, some people just do not know they have malware installed until it is too late.
With ransomware, things are different. Once ransomware engages the system actively, it halts all operations and presents the user with a notice that their system is locked up until they pay said ransom.
Ransomware is usually not isolated. Ransomware attacks usually work in conjunction with worms to deployed the ransomware repetitively to as many machines as possible.
This month’s worst of the worst, WannaCry (WannaCrypt) worm and ransomware duos have caused havoc globally, with a focus in the UK and Europe. MalwareTech, a security researcher in Britain, recently found a kill switch on a version of WannaCry. However, there are many other flavors of the same worm and ransomware combo that makes it still dangerous.
Let’s wrap your business security up!
Knowledge will always outweigh any amount of security that comes pre-built into your business processes. From the time new employees enter your business until their exit, security education should be ongoing.
Today, we looked at some discussions you should be having during new employees onboarding for better business security. By keeping lines of communication open and knowledge flowing, your employees will know what to do, not to do and what to look for in the future.
You can streamline employee onboarding with PerfectShare for Business. We use access control settings, custom password policies, email linking restrictions and more. PerfectShare makes adding and removing employees an easy and painless procedure.