Forget the IT Guys, the Secretary Is the Security Gatekeeper
When we think of cyber security, we’re probably envisioning a team of highly-skilled tech experts who monitor a network at a vast bank of computer screens. While those guys are charged with keeping viruses out and company information in, the real watchdog might actually be the smiling face at the front desk.
More and more companies are learning—too often, the hard way—that the security guys are only part of the anti-data breach equation. With the growing numbers of boss phishing attempts, spoofing, and emailed viruses, anyone from the CEO to the custodian can be the weak link in the chain.
Here is a breakdown of those key threats:
This rampant form of attack works for one very important reason: when the boss tells you to do something, your job usually depends on doing it. Using either a copycat email address (like Amaz0n.com instead of Amazon.com, for example) or by actually hacking into the boss’ email account, thieves contact someone within the company and make an odd but not unheard of request. It might be to send over W2 forms for everyone in the company, send back the payroll records for the past three years, or even to change a password or divert funds into a new account number.
Again, the boss said to do it, so the employee complies. Horrifying numbers of companies and organizations have already fallen victim to this form of attack, compromising countless numbers of victims’ personal information.
This tactic can actually be used in the scenario above, but it doesn’t have to be the boss. A scammer can pose as a vendor the company uses, a third-party contractor, the utility company or the Yellow Pages, or any other business-related entity. By pretending to be from that company, the scammer can steal funds or information, depending on what they ask for.
A very common spoof tactic is to send a fake invoice. The scammer faxes or emails an invoice to someone within the company, and the recipient pays it without investigating further. Why? Because that company sends invoices on a regular basis, and today is no different. The only difference is the person sending the invoice isn’t actually from the vendor.
Many forms of malware can be sent through email. In the good old days, malware was sent as a Word document attachment because Word relies on macros where the virus can hide. Clicking the little paperclip icon and opening the attachment would automatically install the virus.
Once that trick became widely known, hackers switched to sending malicious software as a link. Getting someone within the company to click the link wasn’t hard at all—“look at these photos of you!”—and then the entire network was infected with the virus. This is the mechanism that hackers used in the now-famous Target data breach, as they attacked a third-party HVAC company that some store locations used for refrigeration service.
Macros are making a comeback, though, since word has gotten out about the harmful links, and because many new hires are too young to have been warned way back when about opening attachments.
So how do you protect your company and keep the IT department from fighting a daily battle? Educate everyone within the company—again, from the top executives to the staff emptying the trashcans at night—on good security measures. Establish company policies on how to respond to any kind of request for information, such as a verbal confirmation over the phone no matter who made the request, and make sure those policies are kept up-to-date and enforced. Alert your team members to the latest scams and hacking attempts, and make sure everyone knows how to recognize a data breach attempt. Finally, establish a step-by-step guideline for what to do the moment a breach is suspected since early action can minimize the damage.
How much information are you putting out there? It's probably too much. To help you stop sharing Too Much Information, sign up for the TMI Weekly.