When your computer crashes or your phone gets stolen, your life is put in the lurch until you replace it. Losing a device leaves you disconnected from the rest of the world and without your vital lifeblood: technology. Maybe we’re being a bit dramatic, but devices now manage everything from contacts to bank accounts. Your device is the portal through which you communicate with friends, family, and the people you work with. Replacing a device is costly, but you can’t put a price on the data you hold in it. Consider how much worse it would be if someone got ahold of the data you can access with that device: bank accounts, passwords, emails, photos, correspondence with friends, and more. This is precisely why security is important.
Talking about security is never going to make you fun at parties, but it's important to know enough to protect your data and secure your digital life. The most important thing to understand about digital security is that it's always changing, so what is relevant information now will need to be revised just a few months from now. However, just knowing a bit about the common attack vectors and how to protect yourself will put you way ahead of the crowd. We’re in the business of recognizing and eliminating threats for our customers, so you can rest easy. For the purpose of simplicity, when we say device, we are referring to whatever electronic device you are using to communicate and get things done: phone, tablet, laptop, desktop, etc. This blog is part of a series on security. Today we’re going to focus on basic steps to protect your data as well as spam and social engineering.
THEFT, LOSS, & WHY YOU SHOULD ENCRYPT
We've seen it all when it comes to theft. Our clients have had their laptops stolen from cars, airports, coffee shops, and more. Smash and grabs at the office are more common than you would think. So far, we haven't seen any targeted attacks after a theft. Usually it is just someone looking to make a quick buck on the stolen hardware and wipe the data clean. If this is the case, the best you can do is insure your device so that the financial burden of replacing it is lower. For smartphones, this is usually done through your phone service provider. When it comes to expensive laptops, the most affordable option is generally to contact your business insurance provider to add a rider that covers the device both inside and outside the office. If that doesn’t work, Squaretrade is also an option.
More important than the physical device, however, is what’s on it. Luckily, most people steal your device with the intention of selling it and they don’t care too much about what is on it. If someone is after the contents of the device, however, you have more to worry about and should be taking proactive measures to protect yourself.
- Use a strong password: Password, 12345, or your cat's name are not acceptable. Take a second, and test the strength of your go-to password here to see how you compare. Ideally, your employees should use a password manager and every password across your devices & accounts is a unique, random blend of upper & lower case letters, numbers, cases, and symbols.
- Encrypt your devices: All company computers can be encrypted so that even if a computer or hard drive is stolen, an attacker cannot get at the data. We recommend built-in Bitlocker for Windows (requires Win 7 ultimate or Win 10 Pro) and Filevault for Mac.
- Back up your data: Your company should have a secure, cloud-based solution for keeping and backing up files, no exceptions. We offer several options to fit the size and needs of your team.
While many devices, such as iPhones, come with software that allow you to track the location of your device and wipe it remotely, we have never had a situation where this or LoJack has actually helped recover the lost or stolen equipment. When a device is stolen, it never comes back online to receive the wipe commands. It's best to just be safe from the get-go.
SPAM. NOT WHAT’S FOR DINNER.
Spam, in simplest terms, is unwanted ads, commercial email messages, and more sent en masse. At best, spam is a great way to slow you and your employees down with clutter that utilizes IT resources. At worst, spam, especially via email, is one of the most effective ways to infiltrate and infect your computer with malware & spyware, which we will cover in upcoming blogs.
Most people have no qualms about giving out their email address, opening an email from an unknown sender, or communicating with an untrusted email account - which is exactly why email is so effective for spreading viruses. Spam can also be a vehicle for phishing, an activity which tricks users into providing sensitive information by posing as a secure entity. Compromised email accounts are often used to send spam messages and conduct phishing attacks using otherwise trusted email addresses. In short, you don’t want spam.
You can prevent spam to some degree by never posting any email address you care about online, even if your privacy settings allow only your friends to see your social media accounts. Spammers often use computer programs to comb the web for email addresses to target, so it is best to avoid being caught in their net. However, the chances are high that you are already on a spam list somewhere. Even trusted services like Adobe sometimes leak email addresses or other sensitive information accidentally. While this is an unfortunate fact of life, you have options to protect yourself. Most email services have spam filters built in. Gmail’s spam filters are the best of the major email services, which is one of many reasons we love G Suite, formerly known as Google Apps. If you aren’t using G Suite or you need more robust filtering there are also a variety of third party applications, such as Proofpoint, that we use for our clients to suit their needs and budget.
A few months ago one of our clients’ employees received a call from someone claiming to be tech support. The anonymous technician said there was a virus on the employee’s computer and they needed to get remote access to fix the problem. The employee promptly went to the link provided by the tech support rep, followed their instructions, and within seconds the person on the other end of the line had access to his computer. This employee’s computer was connected to the company network, so the attacker was able to spread a virus to the entire company within minutes. This is social engineering.
Social engineering is the art of manipulating people so they give up confidential information. The types of information attackers are seeking can vary, but when users are targeted they are tricked into giving up passwords, bank information, your address, or other compromising data. Even more commonly, hackers will manipulate customer service representatives into giving up your information by accident. Attackers may also try and gain access to your computer to secretly install malicious software that will then provide access to your passwords, bank information, and more while giving them control over your computer.
Attackers use social engineering tactics because it is usually easier to exploit your urge to trust than it is to discover ways to hack your software. A common social engineering attack is email spoofing, in which one person or program successfully masquerades as another by falsifying the sender information shown in e-mails to hide the true origin.
The trouble with social engineering is that no system is every 100% secure against it. However, there are options for your organization to be more secure. These are some simple steps you should be implementing anyway, because the effort to set them up is minimal, and the rewards are great.
- Two-factor authentication: Adding a second layer of authentication will prevent many would-be attackers from getting into your core systems, like email, even if they know your password. Most major workplace applications, like Google and Slack, will allow you to set this up for free for every person in your organization. At the very least, this should be mandatory for employees with administrative authorization.
- SFP record: Attackers will often send emails to your own staff or customer base that appear to come from other members of your staff. An SPF record on your domain can help prevent some of these messages. This is something we do for all of our clients.
- Training: Training your staff is the best thing you can do to reduce the security risk of the human element. We can deploy a mock social engineering attack on your staff, analyze the results, and report our findings in order to identify holes in your security system. Not only that, but we can also set up a time to train everyone in your organization how to recognize social engineering attacks.
There is no way to be 100% secure and not all security threats are intentional. Authorized users may inadvertently send proprietary or other sensitive information via e-mail, exposing the organization to embarrassment or legal action. Your entire organization can become corrupted by one person opening the wrong email or forgetting to update their antivirus software. Many times, your organization is put at risk by the small holes that are easily overlooked. It's a lot of work to ensure everyone is using strong passwords, encrypting their devices, backing files up, using 2-factor authentication, and trained on all the small steps that add up to a more secure system. Security is an entire job in itself, which is why it can be helpful to have someone else managing it for you. Click to schedule a time to talk about security.