It seems like every day, there’s another cyber attack being performed on a large corporation. For example, Google recently shut down its unpopular Google Plus feature after a leak revealed the company had failed to disclose a cyber security vulnerability that lasted for around three years. But it’s important to remember that it’s not just the big businesses that have to worry. In fact, around 55% of small- to medium-sized businesses were victims of cyber attacks within the last year. That means it’s essential to be vigilant about protecting your company, your employees, and your customers.
While female employees commit around 51% of embezzlement crimes, financial threats that come from outside your company are typically a greater concern. These threats come in various forms, and with the rapidly evolving internet, it may be hard to keep up with the latest. The FBI just released a statement warning businesses about an email scam that aims to obtain employee identification information in the hopes of stealing your directly deposited paycheck.
Phishing emails are still incredibly common, despite how long they’ve been around. Electronic payroll scams are becoming more popular with each passing year. According to the FBI, they’ve handled more than $1 million worth of cases since July through 47 different cases. In order to avoid email phishing scams, FBI officials say employee training is essential. Workers should learn to hover their mouse cursors over hyperlinks (particularly those included in emails) before clicking so they can view the actual URL first and verify whether it’s legitimate. Employees should also be taught to avoid supplying login or personal information in emails of any kind. Businesses should set up an account specifically for suspicious requests; employees should be instructed to forward any suspicious emails they receive to this account, which should be monitored by the IT or HR departments. Businesses should also take care to diversify login information. Credentials for payroll and other credentials should be completely different and should be changed regularly.
As Neil Walsh, head of global cyber crime for the United Nations, explained to SmallBusiness.co.uk: “Businesses can have the best technology available in an attempt to prevent fraud, but the weakest link in any business is the human element… Where new threats emerge, technology is not able to respond quickly enough to prevent them, and this is why employees must be educated as they are typically the route in for criminals to expose a host of issues for businesses.”
IBM estimates that 95% of successful cyber attacks occur due to human error — which means that even if you have taken technological precautions, they probably won’t help if you haven’t trained your staff properly. The human component is why another cyber threat, malware, is often so devastating. The lack of employee awareness surrounding malware threats tends to have dire consequences. When sent via email, ransomware links do even more harm than phishing scams. Instead of a criminal obtaining your login info, they will convince you to unknowingly download a program that blocks your access to a computer system (or sometimes to an entire network) until a payment is made to regain access. There are also trojans, worms, rootkits, and keyloggers that can capture essential information and prohibit employees and business owners from accessing what’s rightfully theirs.
There are also malicious phone apps that masquerade as legitimate ones in both Google’s and Apple’s stores. Even scarier, some criminals are doing what are called “social engineering attacks” to find another way in.
Many workers rely on social media to do their jobs or to find them in the first place. After all, 93% of recruiters look at candidates’ social media profiles. Unfortunately, those everyday activities can make companies vulnerable to cyber onslaughts. Social engineering attacks involve deceiving individuals into providing access for confidential data and protected systems; typically, criminals will use social media monitoring combined with phishing emails to get what they’re after.
When one security company conducted a simulated attack, they needed only one week to gather the necessary information on employees from their LinkedIn profiles to contact them and pretend to be from IT. They requested these employees perform computer updates — and many employees did exactly that, except that the “updates” were actually dubious software downloads. None of the employees questioned the legitimacy of the emails from the “IT department,” showing just how easy it is for hackers to gain access to nearly all the computers within the company’s network. Notably, before this experiment, the business in question showed no signs of cyber vulnerability.
Here, employee education is a top priority, too. The network itself wasn’t vulnerable, but it was human error that allowed the security company (posing as hackers) to gain access. To protect your business against social engineering attacks and other cyber security threats, the company recommends that employees refrain from publishing company information on social media, from accepting social media requests from people they don’t know, and from posting photos of their desk or workspace online (which could reveal details about the tech you’re using and your location). The company adds that workers should never conduct updates on their work computer system, even if the caller or user claims to be from IT, nor should they turn off vulnerability scanning on their computer. Passwords should never be saved in an unencrypted format, either.
If you’ve taken the time to create a virtual fortress for your business’s cyber security, consider that the technology won’t do its job without help from us. If we aren’t as smart about protecting our data against potential threats, all those bells and whistles won’t mean much in the end.