fbpx
MENU

Don’t just practice Social Distancing, Practice Digital Security

by Rick Goody

Posted on at 03:13pm

In the midst of the global coronavirus (COVID-19) pandemic, hackers and scammers are not letting a disaster go to waste, and they have now automated their coronavirus-related scams to industrial levels.

We have seen a significant increase in online scams and phishing attempts. Scammers are taking advantage of the new normal (working from home) and the associated lack of physical contact with colleagues, to try and trick users into purchasing gift cards. See ScamWatch for more information.

According to multiple reports, cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis. Most of these sites are being used to host phishing attacks, distribute malware-laced files, pursue financial fraud, or trick users into paying for fake COVID-19 cures, supplements, or vaccines.

Here are some simple practices you can follow, to keep yourself and your team safe online:

  1. Educate all employees
    • Employees often wear many hats at SMBs, so it’s essential that all employees accessing your systems be trained on your company’s cybersecurity best practices and your security protocols.
    • Policies evolve over time, as criminals find new ways to act. Provide regular updates on new protocols as they arise. Ensure your employees are accountable, they understand your policies, and that they understand there may be consequences for non-compliance.
  2. Enforce safe password practices
    • Current password research flies in the face of practices that have been ingrained in people over the years. Microsoft Password Research Guidance (and NIST) recommend the following:
      • Maintain an 8-character minimum length requirement (and longer is not necessarily better).
      • Eliminate character-composition requirements. (i.e. don’t make passwords require symbols, uppercase, lowercase & numbers)
      • Eliminate mandatory periodic password resets for user accounts. (no more 60-90 day password changes)
      • Ban common passwords, to keep the most vulnerable passwords out of your system (use a password firewall)
      • Educate your users not to re-use their password for non-work-related purposes.
      • Enforce registration for multi-factor authentication.
      • Enable risk based multi-factor authentication challenges.
    • Employees find changing passwords to be difficult. However, the Verizon 2016 Data Breach Investigations Report found that 63 per cent of data breaches happened due to lost, stolen, or weak passwords.
    • According to the Keeper Security and Ponemon Institute Report, 65 percent of SMBs with password policies do not enforce it.  In today’s BYOD world, it’s essential that all employee devices accessing the company network be password protected.
  3. Regularly back up all data to multiple locations
    • While it’s important to prevent as many attacks as possible, risks remain. The SBA recommends backing up documents, spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files.  Don’t forget to include all data stored in the cloud as providers rarely include guarantees they’ll protect your data. Make sure that backups are stored in a separate location in case of disaster. Check your backup regularly to ensure that it is functioning correctly; if you can’t restore your data your backups were a waste of time.
    • The 3-2-1 rule is a great place to start. Ensure you have at least 3 copies of your data, using at least 2 different storage mediums, with at least 1 copy in a different location to your data.
  4. Install anti-malware software
    • It’s easy to assume that your employees know to never open phishing emails, however the Verizon 2016 Data Breach Investigations Report found that 30 percent of employees opened phishing emails, a 7 percent increase from 2015. Phishing attacks involve installing malware on the employee’s computer when the link is clicked, so it’s essential to have anti-malware software installed on all devices. Phishing attacks often target specific SMB employee roles, so use the position-specific tactics outlined in the Entreprenuer.com article “5 Types of Employees Often Targeted by Phishing Attacks” as part of your training.
  5. Use multi-factor identification
    • Regardless of your preparation, an employee can still make a security mistake that can compromise your data. In the PC Week article “10 Cyber Security Steps Your Small Business Should Take Right Now,” Matt Littleton, East Regional Director of Cybersecurity and Azure Infrastructure Services at Microsoft, says using the multi-factor identification settings on most major network and email products is simple to do and provides an extra layer of protection. He recommends using employees’ cell numbers as a second form since it is unlikely a thief will have both the PIN and the password. There are cases of SIM-jacking, so using Authenticator apps can add additional security.

Security is a moving target. Cybercriminals get more advanced each and every day. In order to protect your data as much as possible, it’s essential that each and every employee make cybersecurity a top priority. Stay on top of the latest trends for attacks and prevention strategies available to you. Your business depends on it.

To find out more on how your business can implement some or all of these security recommendations please get in contact

Required fields are marked with *