When you go to work at your office, you expect to see any number of emails from colleagues within your organization, and depending on your role, you also expect to see emails from vendors and clients. That is how most communication is conducted in our digital world. However, cybercriminals have been able to infiltrate many organizations and have been able to send what appear to be interoffice emails or emails coming from colleagues, vendors and clients.
This means, you simply don’t know which emails you can or cannot trust. For example a U.S. company was defrauded of nearly $100 million when cyber thieves used an email address that resembled one of the company’s vendors. https://www.reuters.com/article/us-cyber-fraud-idUSKCN0XB2US
It doesn’t make it any easier that the emails can contain personal details of those who received the emails. Imagine how much more convincing that email would be to open.
Sophisticated And Persistent
Today, cybercriminals are highly sophisticated, persistent and persuasive. In one other recent case a cybercriminal convinced a call center worker to give a customer bank password over the phone! The owner of the account had multiple layers of security in place but couldn’t have imagined his information would be given out over the phone. https://www.csoonline.com/article/3190081/social-engineering/social-engineering-scam-targets-indian-call-center.html
The point is you can no longer be cavalier in your attitude to cybersecurity. If your company, no matter how small or large, has not kept pace with security measures you are leaving yourself open to potential disruption and possibly ruin.
You simply never know where the threat to your business can come from. Other ways data can be captured is by gathering what is visually displayed on a laptop or mobile-device screen. This could happen if someone is working in a public setting or if someone poses as a trusted vendor in an office or as a business associate in a foreign country and they capture data with a smartphone or recording device.
According to an article in darkreading.com businesses need to take a three-tiered approach to protecting their information and customer data which include technology, people and processes. I am including their helpful and important suggestions.
Three-Tiered Approach To Enhance Security
- Technologies: Security-perimeter controls like antivirus protection and intrusion-detection/intrusion-prevention systems remain vital. Also, use security intelligence tools to understand your security ecosystem and the potential risks you face. And encrypt data to make it unreadable, even if it’s stolen. Additionally, all laptop and mobile-device screens should be fitted with privacy filters. The filters black out the angled views of screens to help office workers and business travelers safeguard data from onlookers or even cameras
- People: Provide ongoing training to educate workers about social-engineering threats, and procedures for preventing or responding to them. Employees who regularly handle sensitive information are more likely to be targeted — including HR, sales, and accounting workers. They should be your company’s most knowledgeable workers about threats and procedures — and should be fully engaged to help identity threats.
For example, encourage workers to use the “Report email” or “Report as phishing” icons that can be enabled in Microsoft Outlook. The service provides an easy way for workers to report suspicious messages so IT can take steps to mitigate their impact. IT managers can also monitor the use of the icon to statistically track worker awareness and engagement.
If your company has separate IT and security teams, make sure there is a clear understanding about who is responsible for managing social-engineering threats. Any misunderstanding between these parties can lead to security gaps and a lack of accountability if an attack occurs.
- Processes: Policies that encourage workers to not click on suspicious links or provide information to outside organizations go without saying. But make sure you also have procedures for workers to give you details about attempted attacks. This can help you investigate suspicious emails, URLs, and phone numbers, and better understand your vulnerabilities. As you review and refine your policies, always aim for simplicity. Overly complex security protocols can be too much for workers to remember and can fail.
You can read the entire article at: