Pretexting Attacks Nearly Double in 2023: What Business Owners Need to Know

/in /by

Pretexting attacks, many launched through Business Email Compromise (BEC), have nearly doubled in 2023 according to the Verizon 2023 Data Breach Investigations Report. First, the costs: Based on 16,312 data security investigations that found 5,199 confirmed breaches in the past year, Verizon determined that 74% of all breaches involved human actions, and 97% of breaches were financially motivated. Business Email Compromise attacks accounted for more than half of the attacks Verizon documented, with a median of $50,000 stolen per attack.

Companies Make Phishing Attacks Easy with Too Much Information OnlineFor more intrusive system compromise attacks, more than 95% of attacks resulted in business losses between $1 and  $2.25 million. Training employees to recognize and thwart these attacks is far less expensive than the remediation and recovery that may be needed after a successful attack. Employees need to know what pretexting is, how it works and how to respond to it.

What Is Pretexting?

Pretexting is a form of phishing where the criminal gains the trust of an employee by pretending to be a vendor, business partner or coworker. Some examples of pretexting include the following:

  1. An IT team member contacts an employee and asks them to download software to perform system maintenance.
  2. A senior leader or executive contacts an employee and asks them to buy gift cards for a client or a company promotion, then asks for the gift card codes so they can be distributed immediately.
  3. A client asks for a regular delivery to be routed to a new address.
  4. A vendor asks for credit card information to resolve a payment problem.
  5. A bank employee asks for account access to resolve a problem.
  6. A coworker sends a text that reads, “Let me know if you get this text.”

All of these are real-world examples of pretexting scams. The criminal creates a pretext, a scenario that asks the targeted employee to take action personally. This can include downloading malware or programs that allow remote access to devices, providing logins or providing two-factor authentication codes.

Criminals who use pretexting scams have varying degrees of sophistication. Text-based scams tend to be the most common and least sophisticated. Pretexting scams that involve email may include convincing duplicates of company, client or business email templates or websites, as well as return addresses that are virtually indistinguishable from legitimate emails. The criminal attempts to gain trust, relying on the employee’s desire to be helpful or resolve a business problem.

These attacks are rising in frequency because they are successful. Most employees have been trained to ignore requests from strangers and to go directly to websites instead of clicking on links in emails. What these employees often are not prepared for is a criminal who wants to communicate with them directly. The pretext catches them off guard. A criminal would never call and pretend to be a client, or text and pretend to be a CEO, would they?

How to Stop Pretexting Attacks

Businesses of every size must include pretexting awareness as part of cyber security employee training. Employees with access to company finances, customer and employee data or system credentials should be the top priority for this training, but it must extend to every member of the workforce to be effective. If criminals believe they can steal thousands of dollars from your company, they will probe every possible weakness to try and get a foothold in your organization.

It is equally critical to train remote and hybrid employees who spend only part of their time in the office. This has emerged as a significant training gap in many organizations, and it is a ripe target for pretexting. At a minimum, you must continually remind employees that you will never text them asking for a response or to purchase anything. Establish protocols for times when IT must work with employees remotely. Make sure employees know who the IT staff are and provide a mechanism to verify that they are speaking with a coworker rather than a criminal. Provide an email address for a staff member who is always available in case an employee needs to verify an IT request.

Be wary of what you share online about your company and its people. Criminals will mine your About and Staff pages for names, emails and titles that they can use for pretexting. They will read your press releases to learn about your vendors and clients. Unprotected digital assets, including site code and images, can be used to create spoofed versions of your website or company emails to trick employees.

As with other social engineering scams, a skeptical employee can be the best defense. Employees should be continually reminded to stop and think if an interaction seems strange and to verify any unusual requests with a trusted co-worker by voice or in person.

Protect Now will help you stop pretexting, phishing and other social engineering attacks with our CSI Protection Certification program, designed for the specific needs of small- and mid-sized businesses and available via in-person seminars, virtual seminars or eLearning. Contact us online to learn more, or call us at 1-800-658-8311.

SEO Poisoning: Train Employees, Watch Your Search Results

/in /by

SEO poisoning is a new tactic that scammers use to steal credentials. It can be difficult to detect, and it can harm the reputation of your business if scammers attempt to spoof your identity.

What Is SEO Poisoning?

SEO poisoning is a type of phishing attack. Cyber criminals create a fake version of a website or a landing page, then use search engine optimization (SEO) techniques to get it to rank highly in online searches.

This technique emerged for a simple reason: cyber security employee training teaches workers to never click on links in texts or emails. Because that training has had some success, cyber criminals have changed their tactics. They still send fake texts and emails that you have likely seen, claiming to be from Amazon, Ebay, PayPal or some other major online company. The email includes a link to click to resolve some phony problem, such as a package that cannot be delivered, or loss of account access.

People with good online habits know to never click on these links. Instead, they go directly to the website, log in and see if there is a problem. This is where SEO poisoning may be effective: By setting up a fake site that looks legitimate and ranks highly in search results, scammers can capture login credentials just as if the target had clicked a link in an email.

The scam relies on the trust people have in search results, and their tendency to quickly click the first or second link that they see without investigating in closely. Once thieves have an individual’s login, they can take control of their accounts and potentially compromise business systems.

In some cases, criminals buy paid advertising that appears at the top of search results to trick people. Those ad campaigns get shut down quickly, sometimes in just a few hours, but they can snare unwary individuals while they are online. Criminals time their ad buys and SEO poisoning efforts to coincide with mass emails, hoping to steal credentials before their campaigns and sites get kicked out of search results.

Fake Sites Can Harm Your Reputation

There are two ways that SEO poisoning can damage your online reputation, and potentially damage your search rankings. The first and most obvious risk is someone spoofing your website and using it for criminal activity. Never assume that you will be immune to this. While top sites remain the biggest targets for spoofing, any site that requires users to log in can become spoofing victims. Even nonprofits can be spoofed, if their sites collect donations or personal information.

The best defense against SEO poisoning and spoofing is to check your branded search results regularly. Search your company’s name and your main website URL at least once a week. If you find sites ripping off your identity, report them to the search engines immediately.

The second danger lies in abandoned websites. Some businesses have old websites, promotional sites or microsites that have not been used, or in some cases, accessed, for several years. Sites like this are a prime target for takeover by cyber criminals, who rely on older domains and sites to legitimize SEO poisoning campaigns. Make a point to review all of your online properties and to shut down any that are no longer in use. URLs should be forwarded from out-of-date sites to your main site, which prevents scammers from hijacking old domains for criminal activity.

Easy Steps to Avoid SEO Poisoning

Employees should be taught to be skeptical about any link they come across, even at the top of search results. Follow these steps to avoid clicking on a fake site:

  1. Never click on links in texts and emails. This rule still applies. If you receive an email or text with some alarming information, be suspicious. Then go directly to the site from a web browser.
  2. Look at links before clicking. Even if the link is an ad, even if the link is at the top of the search page, study it carefully before you click. Most businesses have an easy-to-remember URL, like amazon.com, ebay.com or paypal.com. Search engines always show the link address under the search result, for both paid advertisements and organic search links. Check those links, and check the spelling to make sure it’s accurate. When in doubt, try typing the URL into the bar at the top of your browser. If it’s a site you visit frequently, the full URL should appear.
  3. Only click on top-level links. Scammers may try to fool you by asking you to look up a “customer service” or “client login” page. Ignore that advice. Only click on links pointing to the top-level domain, such as etsy.com or mercari.com.

As a final way to protect yourself, consider refreshing or starting your cyber security training. Our CSI Protection Certification program teaches the skills needed to detect and avoid online scams, including SEO poisoning attacks. Available in person, virtually or online, CSI Protection Certification develops superior cyber awareness and will make you and your employees nearly impossible to scam. To learn more, call us at 1-800-658-8311 or contact us online.

SIM Swapping: What You Need to Know

/0 Comments/in , /by

Have you heard of SIM swapping? It’s a new trick that hackers are using to get money and mess up your life.

What is SIM Swapping?

So, what is SIM swapping? It’s when a hacker tricks your cell phone company into thinking that you have activated your SIM card on another phone. In other words, the hackers are taking your phone number and then associating it with a different SIM card. If the switch is a success, your device will be deactivated, and all of your phones, texts, data, and more will come to the hacker. This means, of course, that the hacker could get access to any account, including your bank account, and could even totally lock you out of your accounts.

How the SIM Swap Scam is Identified

A hacker doesn’t need your device to do a SIM swap. It can all be done remotely, as long as they can convince your service provider to do it. How do they convince your service provider? They give them information about you, such as your birthday, Social Security number, or account number. They can easily get this information from your mail, email, or account.

So, how do you know if you have been the target of a SIM swap? Generally, it’s when you see weird behavior from your phone, like the inability to send texts or make calls for no reason.

Preventing a SIM Swap

There are a number of things that you can do to prevent a SIM swap. Here are some tips:

  • Start with your online mobile account –Bad guys accessing your online mobile account can own you easily. Set up two factor and use a hard to crack
  • Watch for Phishing – Most scammers get the information they need to SIM swap by using phishing emails. These are fake emails that are sent to potential victims, and might have weird links, fake login screens, or other methods for tricking people into giving up their info.
  • Don’t Share Your Info Online – Another thing to do is to watch what you share online. Scammers can also get information from what people share with others on social media, etc.
  • Protect Your Accounts – Check all of your accounts for security and consider doing things like setting up two-factor authentication, hard to guess passwords, and think about unlinking your phone from your accounts.

Are You a Victim of a SIM Swap?

If you are a victim of a SIM swap, there are certain things you can do:

  • Contact law enforcement, your bank, the three credit bureaus, and your cell phone provider.
  • Change all of your passwords, especially Venmo, PayPal, and any account that is tied to your phone number. Make sure that confirmations are NOT sent to your phone number.
  • If, for any reason, you cannot log into your account, you should contact customer service of the company ASAP and give them a heads up about what happened.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Beautiful Buxom Brunette Lures Boxer to His Death

/0 Comments/in /by

Eddie Leal, 23, was an up-and-coming professional boxer who gave free boxing lessons in his garage to down-and-out neighborhood teens. He was a good guy. And like most young men, was looking for a girlfriend.

Phishing is Getting FishierOne day he saw that a young woman, Rebecca Santhiago, was asking for a friend request on his Facebook page.

The brunette bombshell with fashion model looks said she was 21, liked to party and was attending college.

What Eddie did: He accepted the friend request.

What Eddie should have done: right-clicked on the profile image and then selected off the drop-down menu, “Search Google for image.” He would have discovered that the results were suspicious for a stolen image, and that Rebecca Santhiago – at a minimum – did not look like her profile image.

The next move would have been for Eddie to ask Rebecca to post a picture of herself holding up a sign with her name or his name – or a recent newspaper – because “I googled your profile image and it’s on other sites.”

Few young men would have the nerve to do this, fearing it would end the correspondence. But if it ends it, this likely means that the woman was fraudulent. Better to learn this early on, right?

A correspondence – only via Facebook, ensued. Rebecca said she had no phone.

WARNING! A 21-year-old college student with no phone?

What Eddie should have done: Requested she borrow a phone so he could communicate by voice or use Skype to see her as well. This request would have ended the correspondence. And saved Eddie’s life.

One evening he agreed to meet Rebecca at 2:00 in the morning at a nearby park – her idea.

WARNING! What woman in her right mind agrees to meet a man, whom she’s never seen nor heard speaking, at 2 AM at a park? Okay, a few oddballs out there might, but Rebecca’s request should have set off sirens.

What Eddie did: Drove to the park to meet her near a dark street corner, per the plan.

What he should have done: Insist that they meet in the middle of the day for lunch at a café. This request would have ended the correspondence. And kept Eddie breathing.

The meeting took place a few weeks after the Facebook correspondence began. When Eddie arrived and waited in his car, a young man appeared and shot him point-blank in the head.

Who was Rebecca?

She was Manuel Edmundo Guzman, Jr., 19, one of the teens who had once shown up to check out the free boxing lessons.

Extensive forensic investigating revealed that the Facebook messages had come from Manuel’s computer, and that the image belonged to a model unrelated to him. He murdered Eddie for the thrill of it.

Impersonating someone else via cyber communication is called catphishing. Manuel’s fake FB page included friends whom he may have acquired simply by inserting himself into cyber conversations and then making friend requests. Anyone can build a fake Facebook page. Usually it’s done for non-homicidal reasons, but you now know the warning signs of a homicidal catphisher.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Bitcoin Scams Up the Ying Yang

/0 Comments/in , , , , /by

If you are thinking of jumping onto the Bitcoin bandwagon, or any type of cryptocurrency, you have to make sure that you are watching out for scams. There are a ton of them out there, including the following:

Fake Bitcoin Exchanges

You have to use a Bitcoin exchange if you want to buy or sell Bitcoins, but not all of them are legitimate. Instead, many of them are created for the sole purpose of taking people’s money. Only use well-known exchanges.

Ponzi Schemes

Bitcoins are not exempt from Ponzi schemes, and you have to look out for these. These are like pyramid schemes, and you definitely don’t want to get caught up with this, as you will certainly lose your money.

Fake Currency

You have certainly heard of Bitcoin, but there are other cryptocurrencies on the market, too, as alternatives to Bitcoin. However, there are also fake ones. For instance, one of these, My Big Coin, was fake, yet the people behind it managed to take more than $6 million from customers.

Well-Known Scams

Bitcoin scammers also rely on old school, well-known scams to trick people. They might, for instance, send emails pretending to be the IRS or even having some type of Bitcoin sale. People fall for these scams every day. If it seems weird, like the IRS emailing about Bitcoin, it is most definitely a scam.

Malware

Malware is another associated scam with Bitcoin. Most, or all wallets are connected online, scammers can use malware to access the account and take your money. Malware can get on your computer in a number of ways, including from websites, social media sites, and even through email.

Fake News

We live in an era where online news is the most popular method to get news, but it’s also very easy to create news stories that seem totally legitimate, yet they are absolutely fake. Basically, scammers create these stories to bait victims, so always think before you start clicking.

Phishing

These Bitcoin scammers also use phishing scams to try to get money from people who are trying to buy and sell Bitcoin. These scams are often done by clicking malicious links.

It doesn’t matter if you join the Bitcoin craze or not, you can also use these tips to keep yourself safe from other scams. Here’s some final tips:

  • Always do a security scan on your laptops, computers, phones, and tablets on a regular basis.
  • Do your research before investing in any cryptocurrency website. Make sure it is trustworthy and secure.
  • Store all of your cryptocurrency in a wallet offline, which keeps it protected from scammers.
  • Always monitor all of your banking, credit card, and cryptocurrency accounts.
  • Always insist the crypto site has two step or two factor authentication.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Phishing is Getting Fishier

/0 Comments/in , /by

If you are like most people, you have undoubtedly received an email that has asked you to click on a link. Did you click it?

If you did, no worries, you are just like 99% of internet users – everyone has clicked a link before, it is pretty normal. But, in some situations, you may have found that the link took you to a new or maybe spoofed website where you might be asked to do “something”, i.e. enter some information or even login to an account. Once you entered your username and password, they have it…

If you have ever done so, you were likely a victim of what is known as a phishing attack, and these attacks are getting fishier all of the time.

A What? Phish? Fish?

It’s called a phishing attack, and yes, it’s a play on words. When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.

Except, their hook and worm, in this case, is an carefully crafted email – designed to look like something you should get – which hackers hope you are going open…its then, that they can reel you in.

There are a few different types of phishing:

  • Spoofed websites – Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames and passwords.
  • Phishing “in the middle” – With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.
  • Phishing by Pharming – With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.
  • Phishing leading to a virus – This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.

Can You Protect Yourself from Phishing?

Yes, the standard rule is “don’t click links in the body of emails”. That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will. Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Are Your Employees Putting Your Company at Risk? Here’s How to Find Out!

/0 Comments/in , , /by

Even if you have the best security on your computer network, you might have noticed that you still seem to get hacked…or worse. Ask Equifax. Why is this happening? It’s probably because a member of your staff has made it easy for cyber criminals to get inside. It’s really important that you find out who this person is, and keep in mind…it might be more than just one. And it may not even involve security technology.

Part of the problem here, is that employees who “open the door” for these criminals probably don’t even realize they are doing it. These criminals are smart, and they make themselves look really authentic. Sometimes, these crooks even disguise themselves as people your staff know. So, how do you find out who’s letting the bad guys in? Here are some things to try:

Phishing simulation:

  • Set up a fake website, and then create a fake email campaign. Send these out to your staff members from a fake address, or better, a real looking address similar to your corporate domain, and see how many people take the bait. You might have to work with someone on your IT staff to spoof the sender’s email address. Make sure it looks legitimate or they will see right through it.
  • Though this might take some time and effort to do, it is a good way to find out where your worries might lie in regards to the cyber security knowledge of your staff.
  • You can also hire a security expert to do this for you. They will create, run, and track your campaign. However, these experts are not cheap, and the campaign isn’t just a one-time thing. Instead, it’s ongoing.
  • There are also many phishing simulation security awareness vendors offering free trials just to see how vulnerable you may be.
  • It only takes a single click to cause a data breach. So, your main goal with this experiment is to find out who that clicker is. Or, who ALL those clickers are.
  • You should send out several fake emails, which ask your staff to click a link. Make sure, however, that they are very random. They shouldn’t be on any type of schedule.
  • Remember, you want to make it look like these are coming from a trusted source. Like a charity, existing vendor, coworker, company officer etc.
  • When you find out who is prone to clicking, you should take them aside and fill them in on the campaign. Don’t lecture them or discipline them. Instead, show them what they did wrong and fill them in on the consequences.
  • Some phishing simulation security awareness vendors offer ongoing computer based training specializing in bringing these clickers up to speed and changing their behavior.
  • Now that you know who the clickers are, send them other staged emails a couple of times a month. See if they click again.
  • You may choose to make sure they know that the random fake emails are coming. This helps to keep them alert to this issue. Or, not and see how that affects their behavior.
  • By using this approach, you can help your staff slow down a bit, and really think about what they are doing when they get an email with a link.
  • You can also create a company policy: Do NOT click on any links in emails on company computers. This helps to stop the need for that employee analysis and will make your staff question each email that comes through.
  • Even with this policy in place, continue to send fake emails to see if someone is disregarding the new rules.

Criminals use fundamental principles of influence and the basics in the psychology of persuasion. There is a science to their process no different than how advertisers, sales and marketers get us to buy stuff. Getting snared isn’t difficult. Being smart and cautious isn’t difficult either. It just requires a little training and reprogramming.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Is Your Small Business Staff Trained in Security Awareness?

/0 Comments/in , , /by

The Ponemon Institute released a shocking statistic: about 80% of all corporate data leaks is due to human error. In other words, it only takes a single staff member to cause a huge issue. Here’s a scenario: Let’s say that you have an employee, Betty. Betty is lovely. We love Betty. But when Betty is checking her personal email during her lunch break and sees she has an offer that promises a 10-pound weight loss in only a week, she clicks the link. She wants to learn more about it, so she clicks the link in the email. What she doesn’t realize is that by clicking that link, she just installed a virus onto the computer. In addition, the virus now has access to your company’s network.

This was a very simple act, one that most of us do every day. However, this is why it is so important that your staff is up to date on security awareness. How can you do this? Here are some tips:

  • Present your staff with information about being aware of security, and then come up with a set up where you send them a link they want to click on. This is a process known as “phishing simulation.” If your staff members click on the links, and they probably will, it will take them to a safe page. However, on the page is a message telling them that they fell for a scam, and though they are safe this time, there could be great repercussions.
  • The staff members who click the link should be tested again. This way, you will know if the message got through.
  • Make sure when you give these tests that it isn’t predictable. Send the emails at different times of day and make sure they look different and have a different message. For instance, don’t send the “lose 10 pounds” email twice.
  • Think about hiring someone, a stranger, who will try to get your staff to give them sensitive information about your company over the phone, through email, or even in person. This is a valuable test, as it helps you to determine who the “weak links” are in your company.
  • Give your staff quizzes throughout the year to see who is paying attention to security.
  • You should focus on education, not discipline, when you are doing this. Don’t make them feel bad or punish them. Instead, make sure they know what they did wrong and work on not doing it again.
  • Ensure that your team knows that a data breach can also result in financial, legal, and criminal problems.
  • Schedule checks of workstations to see if any employee is doing something that might compromise your company’s sensitive data. This includes leaving information on a screen and walking away.
  • Explain the importance of security to your staff, and encourage them to report any activity that seems suspicious.
  • After training and testing your staff, make a list of all concepts that you want them to understand. Look at this list often, and then evaluate it time and time again to see if anything needs changed.
  • Don’t forget company officers. When company officers are omitted from this kind of training it poorly reflects on the organization. Some security personnel are afraid to put their Executives on the spot. That is a huge mistake. Security starts from the top.

Remember, there is nothing wrong with sharing tips with your staff. Post them around the office and keep reminding them to stay vigilant. This helps the information to remain fresh in their minds, and helps you to recognize those who are taking security, seriously.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

10 Surefire Staff Security Awareness Techniques

/0 Comments/in , , /by

Think about how great this would be: Imagine that all of your company data is safe from hackers. Your hardware is totally safe and secure. You have IT specialists at your disposal at all times and have a constant flow of cash to pay them.

Unfortunately, this is a fantasy for most of us. No matter how secure we think our network is or how much we pay our IT people, there is always a chance for a data breach. Does this mean we should stop the fight, though? No way.

Instead of throwing in the towel, it’s very important that you start focusing on security awareness, and this starts with teaching your staff how to handle sensitive company data and keep it safe from the bad guys. Here are some strategies that might work to get the message across:

  • Make sure that every employee on your staff understands how important security is, especially at their own workstation. Each employee you bring on in the future should also be instructed in this before being allowed to access the company’s network.
  • Safety, security and privacy policies must be in place and must address all the necessary concerns required to keep all data in check. Review these policies with new and current employees.
  • Set up some fake “phishing” emails to see if any of your staff take the bait. This fake set up will get the point across to your staff without putting your network at risk.
  • Set up a policy that terminates any employee that is involved in a data breach. This is a great incentive to keep company information safe.
  • Install software onto your network that can detect when your staff is doing something that they shouldn’t be doing. This software isn’t meant to discipline staff. Instead, it’s meant to alert them when they are doing something dangerous that could put sensitive information at risk
  • Make sure your staff understands all of the cyber-attack warning signs. This way, they can easily spot anything suspicious.

Maximize Security Awareness in the Workplace

Here are eight ways to further maximize security awareness in the workplace:

  1. Create a Baseline – Before you can get any type of awareness training going, it’s important to know where you stand. So, do something like a fake phishing email and see how many employees fall for it. This way, you know how much work you have ahead of you.
  2. Remain Realistic with Social – Thinking that you can totally ban any activity that puts your network at risk, such as social media, isn’t very realistic. Instead, teach your employees to be careful when using these websites. Show them example after example of how social posting has gone south ending up in firings.
  3. Use the Right Tools – Stock your arsenal with the right tools. There are programs out there that can help with security awareness in the workplace. “Phishing simulation training” is a quick search.
  4. Use your Creativity – Even if you don’t have a lot of cash to use, you can still make this a fun learning process for your staff. For instance, if its Christmas time, hand out candy canes to your staff, but around each candy, put a small paper with the company’s security policy printed on it.
  5. Get the Help of High-Ranking Execs – If you can get the execs to help you out, employees are likely to listen. How can you do this? Mention the term “return on investment” and relate it to your company’s security. You can be sure that this will get them moving. And remind them that company officer are being fired left and right when there is a data breach.
  6. Bring in Other Departments – It also is a good idea to bring in other departments to help with security awareness. Even people that might not be connected to your network, such as cafeteria or housekeeping staff, can be helpful. You should also make sure to involve your HR department, because they can usually encourage staff to follow policies. Accounting needs to have a say too.
  7. Evaluate Your Plan Often – Every 90 days, take a look at how your program is doing. This is quite effective. To avoid any type of information overload, you should take it slow, too. Perhaps only introduce security topics every three months or so, and then evaluate employee performance 90 days after.
  8. Provide Security “Appreciation” training – This goes beyond security awareness training into the realm of getting into cultural and societal misconceptions, myths and inaccuracies that perpetuate a lack of accountability. Example: “It can’t happen to Me” is total BS and is a form a denial preventing people from being proactive.
  9. Personalize the Experience – Some employees won’t get serious about things until they are affected. So, make sure that your staff understands that security awareness is about them, too, not only the executives of the company. Make sure they also know that they can use the same practices at home to keep their personal information safe.

Teach Them Actual Self Defense – Might sound crazy, but understanding how to save their own lives or the life of a loved one in the event of a physical attack provides an enormous amount of perspective. This is one simple way to open one’s mind on the value of security.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

/0 Comments/in , /by

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.