By Aaron Boigon
So, there was the time that your company had a presentation about the dangers of phishing during a staff meeting … Oh. You didn’t?
A training session on phishing doesn’t need to be boring — YouTube is full of examples of ways to do it well — and the subject needs to be addressed regularly at any company that cares about its security, its finances and its reputation.
Hackers increasingly target small businesses, and they are growing substantially more sophisticated in the phishing techniques they use. It’s less common these days for a hacker to distribute thousands of phishing e-mails in hopes that one or two of the potential victims will unwittingly provide access to a company’s computer files. Instead, hackers take the time to learn a little about a business and its owners so that they can make a phishing expedition that looks plausible to the recipient.
Hackers, after all, are motivated by the same calculations of return on investment as any business owner: Sledgehammer techniques to break into a company’s files can be expensive and time-consuming. A well-crafted phishing expedition can result in a company insider opening the files — sometimes even gladly opening the files — with less work and hassle for the hacker.
This is the most important thing to remember to protect against phishing: The hacker relies on the trust, quick efficiency and the desire to be helpful that you love so much in your employees. It’s your job to make staff members more careful — suspicious, even — about rushing to help.
The best training starts in the mindset of the owner and top manager. Keep IT security as a priority. You wouldn’t think of leaving your company’s office or storage yard unlocked when everyone is gone, and you take steps to secure your premises. Approach your IT — an even more valuable asset — with the same concern.
Plan an annual training session about phishing. A major upgrade in technology or a wave of employee turnover also would provide good opportunities for training.
Here are five issues to discuss with your management team and staff:
- Consider password management systems, those systems that generate and store a complicated password. Some folks continue to use passwords such as “1234” or “Password.”
- Establish clear protocols to control access on shared computers.
- Have an established process to protect your system when an employee leaves. Then follow it.
- Change your assumptions about e-mail. Don’t assume that every piece is legitimate. Take at least a nano-second to ask if it might be fake. Trust your intuition and don’t open links or attachments that feel questionable.
- Go the source. If an e-mail includes an embedded link, don’t use the link. Instead, go to the Web site that you know to be legitimate. If an e-mail from a supplier looks bogus, create a new e-mail and ask your contact at the company if they sent you a message.
Technology, much of it highly affordable, can support the good practices and good training at your company. Email encryption is a highly effective solution that’s available at a reasonable cost. Email filters are a common offering in most email services, but they can be strengthened. Password management software is a good idea. Anti-virus software provides protection. Many companies will want to make sure their firewalls provide sufficient protection. And, of course, regular backups of critical data provide some measure of comfort should the worst happen — a catastrophic ransomware attack, for instance.
Although many of these systems are very user-friendly, it makes sense in most instances to get the help of an IT professional to select and install the technology. If software isn’t set up and maintained properly — say, the licensing agreement is allowed to expire — it won’t provide any protection at all. Plus, it’s always good to have a relationship with an IT professional who is ready to help when your company needs it.
One more important step an owner or manager can take is creation of a company culture in which employees aren’t afraid to acknowledge that they made an error. If a staff member mistakenly clicks on a link in a phishing attack, mere minutes can make a big difference. If they go home for the weekend and worry whether they should tell someone, the damage will be done.
Got it? Then train, and talk about the dangers, and share stories and train some more. Phishing attacks are out there. You can turn them away.
Aaron Boigon is the Executive Vice President and Chief Information Officer for Plumas Bank