In the news this year. employees in the payroll departments at Sprouts Farmers Markets and Seagate, among other companies, fell victim to a scam in which an email seemed to be coming from an executive within the firm. These emails asked tne employee to send W-2 forms of multiple employees to the scammer posing as a high-level executive. In too many instances the employee(s) complied.
This security breach resulted in thousands of employee records falling into the hands of cyber criminals and costing the companies involved undo expense in providing credit monitoring for all affected employees; not to mention the negative publicity, disrupted employee morale and even litigation as a result.
Could your company fall prey to a scam like this one?
Small and medium-sized business owners may think that they will not be targeted by cyber criminals because they are small-beans compared to the large multi-national banks, corporations and governments we all hear about on the news, but the truth is “Many hackers use automated tools that do not discriminate between small and large businesses, so even the smallest of businesses will eventually be attacked,” said Nitzan Miron, principal web application security engineer and product manager at Barracuda.
Fortunately, we can glean important tips from these events to help us keep our businesses safer from cybercrime. Creating well-trained and educated employees may our first line of defense.
Below is a quick list to get you started on a security protocal for your business:
1. Talk to your employees about to whom and how sensitive information is to be requested and disseminated via email.
2. Everyone at your workplace should ask themselves this question before hitting ‘SEND’: “Would I want this email read to a judge or a jury?” Unless the answer is an unequivocal “Yes”, do not send it. Email is a powerful communication tool. It’s also very permanent and you can not assume any email communication is private.
1. Long, multi-word. phrases are easier to remember and harder to decode than shorter complicated passwords.
2. Do not communicate passwords or usernames via email.
3. Require employees to change passwords at regular intervals
4. Consider implimenting company-wide use of a password manager like LastPass or Dashlane
1. Perform those pesky software and web platform updates. “Most platforms will offer an automated feature that checks for upgrades and helps you through the upgrade process,” said Miron. He advised small business owners to take time to regularly check for updates and install them as recommended.
2. Serve your website over HTTPS, especially any pages that collect information or passwords. “HTTPS encrypts traffic so that attackers cannot eavesdrop and intercept your passwords or other information,” said Miron, who advised small business owners to obtain an SSL certificate in order to implement HTTPS.
3. For any system or network that contains sensitive data, it’s advisable to add, at a minimum, two-factor authentication (2FA). This way if a password is comprimised for example, a hacker would need another additional piece of authentification to gain access.
Train, Train, and Train Again
1. Make it a priority and meet about security regularly.
2. Include protocols in your employee manual.
3. Employees should never be reprimanded for taking extra security measures or requesting additional approvals before releasing sensitive information.
4. Create a work atmosphere in which security is rewarded as much as productivity. Even hard-working employees may skip security protocols if they feel it affects their productivity, make sure everyone knows that security is part of everyone’s job.
Some information and quotes for this blog post came from the following sources: