As you reflect on 2016, it is hard to look back without remembering the many public incidents of cybersecurity issues. Given the complexity of this ongoing environment, more money and time will be spent in order to better respond to this situation.
However, that is not enough. It is important that your employees are well-trained and equipped to protect your clients, your firm and even their own private information. It can be overwhelming, so let’s focus on how you can help your employees better understand their role in identifying threats and preventing cybersecurity attacks.
Email is still the most common channel for cyberattacks. Most of us can easily spot fraudulent requests when there are misspellings or grammar issues in the message. Unfortunately, fraudsters’ efforts continue to evolve. You might be thinking “been there, done that” on this threat. However, it is critical for your employees to understand what to look for, and to review every email request very carefully — even if it looks like it is from someone you know well.
For example, it is important to look for any errors or inconsistencies in the sender’s email address. It could list FedEx as the sender, but the actual sending email address is unrelated to the name displayed. Be suspicious of internet links included in the email, especially if the URL has been shortened using a service like Bitly. You must know where the link actually directs you before you click on it.
Finally, there are many tasks that you should never do by simply following an email’s instructions, especially requests that were unexpected. If you receive an email from a company you do business with requesting you to change your password but you didn’t ask for it, don’t respond by following the email’s instructions. Instead, go to the provider’s website by typing the URL into your browser as you normally do to log in to the system, or contact the provider directly.
Another frequent cybersecurity attack that your employees should be aware of is what’s known as “scareware.” Scareware is a malicious computer program generally packaged in a browser window popup that is designed to influence the user into downloading unnecessary and potentially dangerous software.
What is alarming is that the scareware program is often branded with familiar product logos such as McAfee, Norton or Microsoft. Your employee could easily misinterpret the scareware message as a notification from their antivirus software. Once downloaded, the scareware may access and infect the user’s computer, their network and possibly cause other harm. To prevent a scareware attack, it is important that every employee knows the type of the antivirus program installed on their computer. If I know that Norton is installed on my computer, I shouldn’t expect to see messages from other brands.
If employees do receive a security warning, they should evaluate what they were doing before taking any action. Were they on a website or opening an attachment? This information is important to evaluate whether the message is legitimate. Encourage employees to ask for help if they’re unsure about a warning. Just like other threats in our world today, if you see something, say something.
The extensive adoption of social media unfortunately has also increased the distribution of viruses. Considering this risk, some firms have blocked access to social media platforms using company-owned computers. This might sound extreme, but given the wide adoption of smartphones, firms have found that employees can easily use their personal devices instead of company computers for staying connected. If this policy won’t work for your firm, be sure to have clear rules and policies with regular training for employees accessing social media platforms using company resources. Your employees’ roles in preventing cybersecurity threats is all about being alert and cautious in how they use technology. If they do notice an attempted attack, be sure to discuss it with all of your staff.
Fraudsters are going to keep trying new attacks, and part of their hope is to find an uninformed target to exploit.
--- Read Advisors' Low-Tech Cybersecurity Action Plan on ThinkAdvisor's TechCenter.